Merchant Data Protection Is Dangerously Inadequate

You would think by now most merchants would know how to protect payment card information.

However, according to the recent Verizon 2015 PCI Compliance Report, only 20% of businesses passed their most recent PCI compliance assessments.  While this is better than the 10% compliance rate cited in the 2014 report, it’s important to note that of all the breaches reported by Verizon last year, “not a single company has been found to be compliant at the time of the breach,” underscoring the importance of PCI DSS compliance.

The Payment Card Industry Data Security Standard demands cardholder data is protected and that strong access controls and authentication be put in place by merchants.  Both of these requirements are essential to prevent a data breach, but they are also the hardest to comply with.

These challenges are predominantly met with “compensating controls” which by PCI Security Standards Council definition should “provide a similar level of defence as the original PCI DSS requirement,” but are open to interpretation and as a result are often fundamentally vulnerable to attackers successfully attacking authentication and login processes to steal data.

The Verizon report identifies that compliance alone is not enough; the sheer veracity of attacks seen over the previous year is evidence that current data securities are inadequate.

Instead the report suggests that compliance “is a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security.” Attackers are advancing their game, working around compliance controls to always be one step ahead of the security level achieved by regulation and industry standards.

Clearly, we are losing the battle against the bad guys. According to the Verizon 2014 Data Breach Investigations Report, “a PwC survey of 9,700 companies found that they’d detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66% since 2009.” Just a brief scan of news headlines shows that a variety of different industries have a growing problem with data breaches.

More worrying is the fact that attackers are moving on from stealing PCI data and are increasingly seeking personally identifiable information (PII).  This is likely happening because PII can potentially be 50 times more valuable to an attacker than card holder records. In the well-publicized Anthem BlueCross BlueShield breach, a treasure trove of PII data was accessed, including names, birthdates, Social Security numbers, medical IDs, street and e-mail addresses and employee data, including income. 

With that information criminals can open up new credit card accounts, file false tax returns, take out loans, buy a car, obtain controlled substances, commit insurance fraud, attempt blackmail or steal your identity entirely to conduct other illegal activities in your name.  Unlike credit card data that is short-lived and can easily be changed or updated if breached, PII is long-lived and will always be valuable to those wishing to exploit it. 

It’s important for all organizations that collect credit card and other sensitive data to not only follow PCI and privacy guidelines, but go beyond them, as they are just a baseline or minimum of acceptable security.

Compliant and responsible organizations are taking a data-centric approach to both PCI and PII data security by encrypting data to protect it in the event of a breach. Forward looking organizations are going one step further by implementing tokenization technology, replacing real data with substitute data that has no value to an unauthorised user. Tokenization reduces PCI scope and applied as a methodology enterprise-wide is a cost effective way to protect all sensitive data and prevent data theft.

Ulf Mattsson is Chief Technology Officer of Protegrity.