Protecting the Digital Economy’s ‘Soft Underbelly’

UnderbellyThat most basic human activity: selling and buying, is undergoing hefty changes these days — and I’m not referring to the buzz around the quixotic Bitcoin currency and its issues of legality and flux, or the fact that most of the world’s ATM machines are still running on Microsoft XP. I’m talking about the ‘trust relationship’ between buyer and remote, unknown sellers. Some pundits have coined the term ’The Experience Economy’ to describe our increased risk-willingness in order to get a pleasurable experience out of any transaction.

We know that fraud levels in our digital economy continue to rise. The Nilson 2013 Report puts the 2012 figure at $11bn — up from $3bn in 2000. We accept the risk because of the sheer convenience of the process, and the willingness of banks to soak up most of the losses at the front end while charging consumers higher fees at the back end. With 74% of cyber-attacks on retail, accommodation, and food services companies targeting payment card information, it’s the soft underbelly of electronic shopping.

On the merchant side, many companies rely on PCI-DSS 2.0 (the Payment Card Industry Data Security Standard) to protect our payments and personal information. This is a 12-step industry standard defining information security measures for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Verizon’s 2014 PCI Compliance Report gives an inside look at the sector’s ability to protect this information, based on ‘detailed quantitative results from hundreds of compliance assessments carried out by our PCI Security practice across hundreds of sites between 2011-2013’, and supplemented with data from Verizon’s 2013 Data Breach Investigations Report.

Of the companies claiming to be PCI-DSS compliant in 2013, Verizon found that only 11% were compliant with all 12 requirements. However, there are significant overall improvements over 2012 in the percentage of organizations that meet at least 80% of the controls and sub-controls specified. This increased from just 32% in 2012 to 82% in 2013!

PCI-DSS compliance is not mandatory, and Europe lags behind the US and Asia in PCI-DSS adoption. This may be because of complacency due to the better chip+PIN card security, or because the mandatory SEPA (Single European Payment Area) regulations have higher priority.

The most serious issue facing companies that opt for PCI-DSS compliance is clearly focused on requirement #11: regular testing of systems and processes. This requires organizations to have a sustainable network and application vulnerability management program. Most organizations that suffered a data breach in 2013 weren’t compliant with Requirement 11.

Going forward, there are also important issues for PCI-DSS 3.0 to address. The 2.0 standard gives little guidance to secure mobile payment systems that are emerging fast. Some retail organizations have started to pilot mobile payment applications in their environments, but PCI SSC (the PCI Security Standards Council) stopped all certification reviews for mobile payment applications in 2011, due to lack of clear requirements. This then becomes a significant threat to the mobile transfer of cardholder data.

Another area relates to securing virtualized environments and multi-tenant clouds were mixed environments (in-scope and out-of-scope systems) are hosted on the same physical server.

PCI-DSS is still evolving, and like most standards, it is behind the curve of leading-edge attackers. But Verizon found that less than 1% of the breaches used tactics rated as ‘high’ on its difficulty scale, whereas 78% of the techniques used were in the ‘low’ or ‘very low’ categories.

PCI-DSS is much more than a tick-in-the-box for the company board. PCI-DSS compliance does not guarantee protection against the theft of payment card details — that requires continued vigilance. So company boards in retail, e-commerce, and other industries handling card payments need to include PCI-DSS compliance programs as part of a broader compliance regime addressing outstanding virtualization and mobility issues in their GRC (Governance, Risk, Compliance) strategy.

Image credit:  Sergey 3RR0RZ (500px.com) / CC-BY-SA