Network Solutions Breach Revives PCI DebateIf Firms are PCI Compliant, Why are They Getting Breached?
At the time of the breach, discovered in June, Network Solutions says it was PCI compliant. The breach was the result of hackers planting rogue code on the company's web servers, intercepting financial transactions between the sites and their customers, which are mostly small online stores.
So, if Network Solutions was PCI compliant, how could it be breached? Paul Kocher, chief research scientist at Cryptography Research Institute, says the fundamental limitation with PCI is that it attempts to distill security down into a static set of requirements, while adversaries aren't restricted to a rigidly-defined set of methods. "As a result, clever attackers will always find holes," he says. "PCI does provide some value by forcing merchants to put some effort into addressing the most common attacks, but the objective is to reduce total risk -- not stop all attacks."
Changes that would increase the burden on merchants could raise the bar further, Kocher notes, "Although it's not clear how much impact this will have on actual fraud rates." At this point, he sees no sign that security standards are anywhere near close to putting fraudsters out of business, and forcing them to work a bit harder doesn't necessarily mean they'll actually steal less. Kocher sees the most effective anti-fraud step the U.S. card industry could take would be to make a real effort to adopt smart cards. The secrets needed to copy stay in the chip, and terminals for card-present transactions simply do not have access to the secrets.
PCI Flawed From The Start?
PCI has been flawed from its very start, says Avivah Litan, a Gartner Distinguished analyst and information security expert. She offers these reasons:
- The standard relies largely on qualified data security assessors. "But there is no effective process in place to ensure the quality of the assessors themselves," she says.
- Assessors bear no liability or responsibility if they get the assessment wrong, Litan notes.
- PCI puts all the security responsibility on the retailers and payment processors, she says, while "Nothing gets done to change and update the core security of the payment system, which suffers from an antiquated decades-old architecture, itself."
The banks and card brands need to do their share to strengthen the security of the payment system by implementing end-to-end encryption and stronger cardholder authentication, Litan says.
While the industry awaits those much needed changes, PCI should and must be improved. "It's basically written as a one-size-fits-all standard," Litan says. The same standard applies to a mom-and-pop ecommerce store and to a global multinational retailer with thousands of stores and hundreds of thousands of point-of-sale terminals, she says. "It needs to be tailored to different scenarios, depending on the inherent card acceptor/processor risk and system configuration."
PCI Not Broken
Matt Davis, Audit and Compliance principal practice lead at SecureState, the Cleveland, Ohio risk management assessment firm, says PCI isn't "broken." He points to the Heartland Payment Systems data breach as one example. "Using the Heartland breach , we can figure out what happened," Davis says. "The basic problem was registers with malware that were sending credit card numbers back to China."
According to the PCI standards, Davis says, anti-malware needs to be in place. "The only problem with the standards is it used to say 'for systems commonly affected,' which really meant MS Windows. The affected systems were Linux and thus the standard was fixed to say all systems. But was that really the problem?"
PCI uses a layered approach because individual controls can fail, Davis explains. "So if malware breaks in, the firewall still works in this scenario. There is a big difference between compliance to the DSS and having validated compliance through an audit and scans. Their organization and their assessor 'thought' they were compliant to the standard, but they weren't." The failure was one of diligence by one or both parties, he observes.
The failure was not the PCI, but rather with the QSA and/or Heartland, Davis believes. "PCI does have a 'Safe Harbor' clause that states you won't be fined if you can prove you are compliant to the entire standard at the time of breach, as demonstrated by a forensics investigation," he says. "That's a pretty high bar, and to be honest, one we do not see being hurdled when the investigation is performed. I'd be willing to bet that we'll find something like that with Network Solutions too."
PCI Doesn't Mean 'Breach-Free'
It's a mistake for anyone to equate "compliant" with "impossible to breach," says David Taylor, CISSP and founder of PCI Knowledge Base.
There is no way that a committee that has to consider what is "reasonable" and "affordable" to its members and the industry as a whole can possibly design a set of standards that can prevent one clever hacker from figuring out a way to break in, then sharing his/her hack with millions via the Internet, Taylor says.
The PCI-DSS can be tightened -- such as by requiring encryption over private networks, and not forcing merchants to decrypt card data so it can be received by processors and the card brands, Taylor notes. He agrees with Litan that the standards have pushed compliance expenditures onto the merchant community.
The Network Solutions breach should be a lesson to all banks and service providers that rely on companies to host their e-commerce sites that it's insufficient to ask just once per year "Are you guys still PCI compliant?"
Financial services firms and merchants need to engage in a detailed quarterly review of service providers to better understand what is specifically being done by the service providers to protect their data, at rest and in transit, he says.
Litan sees two fundamental technologies that can strengthen the core security of the payment systems:
- End-to-end encryption, where the first end is the card acceptor, and the second end is the card issuer -- not an intermediary, like a payment processor. This is akin to the way PIN encryption works today. The data is encrypted at the card swipe and decrypted only by the card issuer.
- Stronger dynamic cardholder authentication, so that a card cannot be used without a dynamic (changing) credential only known to the cardholder.
For more on the PCI debate, see: PCI Debate: How Do We Raise the Bar on Security?