PCI in the Age of Heartland

In March, Visa announced that it was removing Heartland and RBS WorldPay, two credit card processors that had experienced major data breaches in the prior months, from its list of PCI-compliant companies.

The action is seen by many in the industry as being mainly for show (and, according to some cynics, to distance the company from possible litigation), but the removal of the processors brings attention to the very real limits of PCI as a data protection standard — as well as to the glaring gaps for data protection at all points in the transaction cycle.

Many Americans learned about processors with the announcement of the Heartland breach in January, which unintentionally gave many consumers an unwelcome education about the path of their credit card information after a purchase. Transactions from all credit card issuing companies go to these super storehouses for consolidation before being reconciled with Visa, MasterCard, American Express and others. This consolidation makes sense from a business standpoint, but what is really mind-blowing for those of us in the security industry was that the credit card data was left so exposed — for any length of time at any place along the transaction.

Although the exact details of the Heartland breach and compliance issues have not been made public, it is widely believed that credit card data was exposed and noncompliant during its time on the Heartland server.

It is staggering that retailers and others processing credit cards are required to protect all transactions in order to be in compliance with the points of PCI, yet once the transactions get to the “super-processors” such as Heartland, these requirements are apparently not systematically enforced — or even required, at some points. The more data you handle, the lower the security bar, or so it seems.

Mind the Endpoints

The issues and vulnerabilities of PCI are representative of a “meta-issue” in security: Where do you place protection? For many years, the answer was at the endpoints, meaning you secure any place that a person can access the data — from the cash register, to the network, to the people transporting physical files (such as in financial services).

However, from a network standpoint, many vulnerabilities across the enterprise place data in danger. One example is SQL injection attacks, which exploit a known weakness in database application coding to allow hackers access to a network and databases. In the case of Heartland, it was malware designed to grab and send data (believed to be linked to a global cybercrime syndicate) that caused the breach.

The security of the network is no longer something that the industry can rely on, and processors, given the valuable nature of the data they work with, will always be a target for criminals. In today’s world, security officers need to examine how they can be effective in this threat environment, specifically in protecting the prized data that the thieves are going after.

Consumers generally had no idea that their information was being exposed during its time at the processors. Retailers, however, have been aware of this risk for some time; the protection that data receives at a processor has been a sticking point with many retailers and others accepting credit card transactions.

It makes sense that retailers, especially some of the smaller ones, would be angered that after undertaking the painstaking efforts to comply with PCI, they see their efforts weakened during the transaction time at the processor. What is even more disturbing is that dangerous vulnerabilities became very well known to organized crime elements and hackers who famously exploited the weaknesses at the two processors.

Enter the New Data Thief

The past few years have seen a quiet dimming of proof-of-concept hacks, which occurred in large part to publicize individuals and groups in the security industry. A Central European group has recently been using database attacks to embarrass a number of security vendors themselves, however, by defacing their Web sites.

The more sinister threat environment, which has emerged over the past two years, involves well-organized criminal gangs that grab data with the sole purpose of using it fraudulently. The “2009 Verizon Data Breach Investigations Report” outlined the change, finding that 93 percent of all electronic records breaches occurred in the financial services industry, with 90 percent of the breaches tied to organized crime.

All companies that use credit card data should assume that there is someone trying to gain access to these records at all times, therefore. They will often be right.

Security From the Database Up

So, what is needed here?

Heartland, for one, is looking at encryption as the answer. PCI has not been enthusiastic about encryption as a protection measure in the past, but the increase in threats, combined with the multiple points of vulnerability inherent in PCI, may very well change this view. Yet this, too, is an incomplete measure. So often are major breaches enabled by staff that encryption alone, like every other authentication approach, will never be enough to keep data safe.

Since financial data will always be attractive to thieves, it makes sense to place additional levels of protection around the place where data spends the majority of its time — at the database itself, of course, and at the applications that process it. This data-centric approach involves layers of protection from the database up, rather than from the network down. What is gained are extra levels of protection where it can be most effective.

So, if malware should get through to a poorly secured wireless network router, or if a hacker should successfully subvert a weak Web application to acquire a base from which to launch an SQL injection attack, then the database would still be a secure repository of the organization’s sensitive data. Small amounts of data might still be vulnerable in transit to a long, slow breach (such as the TJX loss), but there would still be protection against high-volume rapid thefts. This would ensure that even if criminals should gain proximity to data, they would not gain access.

PCI, in contrast, involves a network-centric approach and is strangely silent on database protection. It leaves compliant companies frighteningly vulnerable to both insider threats and external database attacks. PCI should have, as its mission, protection of credit card data through all levels of a transaction lifecycle. This focus, properly implemented, would have prevented Heartland by default, since the processor would have been required to keep its servers in PCI compliance at all times.