Evan Schuman's StorefrontBacktalk

6 Comments | Read From The Heartland Breach To Second Guessing Service Providers

1. Dave Says:
   January 27th, 2009 at 5:08 pm

   David Taylor seems to have used the Heartland Breach announcement to “vent” on topics apparently near and dear to him. The discussion of retail security based on the TJX and Hannaford breaches makes sense as surprisingly, they are Retail establishments. But using the breaches of two banks to question the security of all service providers in general is patently ridiculous. I don’t know of any bank that offers security services to their customers. There are hundreds of service providers that are not banks, related to banks or provide any merchant services or banking related service.

   There are telecom companies that merely move the data from point to point. They are service providers.

   There are companies that provide the service of connectivity to several banks or processors with different formats using a single format. These are service providers.

   There are companies that provide accounting and reporting of payment information. These too are service providers.

   There are companies that securely store card data for merchants. These are service providers.

   There are companies that provide security technology to keep credit card information out of POS systems and off websites. These are also service providers.

   Which of these service providers is David talking about? Generalization in a forum like Storefront Backtalk is as dangerous as saying “put in a couple of firewalls and your data is safe!” Broad brush one comment fits all articles like this one do not raise the discourse to a level that it deserves.

   A breach is a serious thing. But articles like this do little to improve the situation or to disseminate useful information. Comments like “Most companies don’t take data security very seriously “is as ridiculous as “all consultants are intelligent.” I have thousands of customers that are very serious about security.

   The comment “Frankly, some service providers do a much better job than others when it comes to data security, but they charge more” is another broad brush statement that is just not true. I know our customers receive substantial security functionality and services at no additional charge and I am sure that there are many other service providers that are priced similarly.

   The whole purpose of PCI is to protect as many end points as possible. Basically as more end points are being protected the big boys become bigger targets. Thieves that want to make a big hit don’t want to pick the locks of thousands of homes; they would rather rob a bank. If there were no locks on houses, the lazy crook would open the door and steal what they could and move on. As some “service providers” are protecting individual merchants, thus making stealing a little more difficult, they are forcing the bad guys to work harder. Service providers like Heartland and RBS need to raise their game.

   Malware is not a single thing and to discuss the Malware as such is again more generalization. To dignify crooks and thieves as “malware manufactures” is like the government, the press and the consultants “criminalizing” the victims. Please remember, Hannaford, TJX, RBS, Heartland and their customers are victims; their houses were broken into. Do we treat other victims with such contempt? We need to keep an open mind and not question every answer and every move made by a victim of a breach. These folks have to stand naked in front of the world merely because of a criminal act of some dirt bag. I think to belittle them for tying to stand behind Barak Obama’s Inauguration is unfair. When one is naked the normal reaction is to hide. More people watched American Idol than the Inauguration festivities anyway.

   The four suggestions are reasonable if not obvious. Unfortunately they don’t apply to all payment service providers and they dwell too much on the cost of the service. If providers of payment security services don’t talk about their security prowess run, don’t walk, away. Asking about multiple levels of security protection is truly strange. A little bit secure is useless at any price and completely secure is priceless. Ask about the service provided and ask experts whether it is secure or not. Of course Real Security at a low price or no price is optimal. While I am not sure that any security conscious company will disclose the members of their “security committee; “knowing that members of the executive staff are involved in the service provider’s offering and associated security evaluation is truly important.

   On this we agree; PCI is not the be-all-end-all, but it is a good start. A dedication to Real Security is more important than compliance with any standard including PCI. Lock your doors there are thieves out there!

   J. David Oder

   President/CEO

   Shift4 Corporation

   http://www.shift4.com

   http://www.simplifypci.com

2. David Taylor Says:
   January 27th, 2009 at 6:11 pm

   “In response to Shift4’s corporate position re: my posting. I was attempting to make several points. Here they are, in briefer form, so that they may be easier to understand:

   1) My first point was the greater concentrations of valuable data create greater risk, simply because it is more worthwhile for thieves to expend effort to target these companies. This is true of banks, card processors that are not banks, or any companies that gather and process large volumes of credit card numbers or other identity-related information. This goes back to Willie Sutton’s comment about why he robbed banks: Because “that’s where the money is.” The greater the data concentration by an organization, the greater the potential threat to that data.

   2) My second point was that we have talked to a number of companies who have tons of confidential data. They provide services to merchants, banks, etc. There are huge differences in the level of protection provided to confidential data by some of these firms. Of those who are spending lots of money protecting data, they have to charge to their customers to pay for this security. Their frustration is that their customers often do not appreciate this. Too many customers, particularly retailers, still buy on price, without appreciating the value that the additional security provides to customers. Our goal is to help customers (especially retailers) be more conscious of security as a differentiator among service providers.

   3) My third point was that these are serious criminals. By using the term malware “manufacturing” we are suggesting that this is a “criminal enterprise,” or “organized crime,” if you will. To suggest that these criminals are not organized or that there is not a concerted effort to efficiently break security systems is to understate the impact of their efforts.”

3. PCI Guy Says:
   February 3rd, 2009 at 9:13 pm

   David Taylor wrote “greater concentrations of valuable data create greater risk, simply because it is more worthwhile for thieves to expend effort to target these companies.”

   Here, here! How long until Shift4, and/or any number of their competitors, suffer an attack like what Heartland and RBSLynk have experienced? And how many of their customers, who relied on representations of “security,” will be surprised to learn that the banks will go after the merchant, not the service provider, for fines and costs?

4. Steve Sommers Says:
   February 12th, 2009 at 7:52 pm

   There is no such thing as 100 percent security. PCI Guy, my question to you is how much time and money does your average customer spend per year on the above until their next annual PCI audit? (I’m assuming you are a PCI auditor) We can preach PCI all day long until we’re blue in the face, but if you deal with small to medium merchants on a daily basis, you should already know most merchants all but totally ignore PCI after the auditor leaves until about a month before their next annual audit or ROC filing. Until you can squeeze PCI into a can, sell it like anti-virus software, and be able to have merchants install and forget it, reputable gateways have a place in the PCI equation (ignoring other non-PCI features gateways bring to the mix).
   One final analogy using cash:
   Fort Knox – maximum security – no breaches (at least none that I have heard of)
   Banks – strong security – breaches rarely happen
   Merchants – minimum security – breaches occasionally happen (more or less depending on many factors)
   Based on David’s article, Fort Knox is the biggest target and therefore its use should be discouraged; same with banks – merchants should be holding their own money because they are the smallest targets.

5. PCI Guy Says:
   February 16th, 2009 at 6:25 pm

   Actually, the security of Fort Knox is significantly enhanced by the fact that the value it contains (gold) is extermely difficult to transport in large quantities.

   Banks have relatively small amounts of money and basically nothing else worth stealing; the typical payoff from robbing one is a few thousand dollars. Security at banks is actually fairly weak, just hand the teller a note and be on your way…

   A bank computer system, on the other hand, contains billions of dollars that can be “moved” in milliseconds and, therefore, it makes a very attractive target. Banks understand this, and have highly secure computer systems. Unfortunately, acquirers and payment processors are not banks and, evidently, they still have a bit to learn about computer security.

   There is nothing fundamentally bad about payment gateways, but they are not nearly the silver bullet you constantly portray them to be. Gateways do not prevent a merchant’s computer from being attacked, and gateways add another attack vector to the payment processing chain.

   A hacker who has infiltrated a merchant’s computer can easily circumvent your encryption driver. The Shift4 “tokenization” system merely eliminates storing encrypted card numbers on the merchant computer until those transactions have been settled. In other words, your system helps protect against a hacker who (1) gains access to the merchant’s computer and (2) locates encrypted card data awaiting settlement, and (3) locates the required decryption key on that computer. A hacker with that much skill is far more likely to install a sniffer and grab card numbers before your product can encrypt them. That kind of attack could go on for months without being detected.

   Moreover, since the Shift4 servers are holding millions of card numbers, your site is at considerable risk for attack. It happened to Heartland, it happened to RBS Worldpay, and it has happened to many other “secure” computer systems. It can happen to Shift4, too. (You thought your network could not go down, but you had an major outage in December, right?)

   Like I said, there is nothing fundamentally bad about payment gateways, including yours, but they are not without flaws and vulnerabilities, either. I’m concerned your company’s over-the-top marketing hype is doing more harm than good by leading your customers to believe they need not worry about security.

6. Steve Sommers Says:
   February 23rd, 2009 at 6:45 pm

   PCI Guy, you are not aware of, or don’t understand the different layers of tokenization Shift4 provides. The tokenization you described is the initial version that we released to the public domain back in 2005 and you are correct, it only addresses storage. Also, no pre-settlement card holder data is stored on the merchants system, only tokens and there is no storage key to crack.

   We have a version of tokenization that encrypts at the swipe, prior to entering the merchant’s POS and is fully encrypted in flight on the merchant’s network. This version of tokenization addresses all the merchant side issues you pointed out and is basically an end-to-end tokenization model.

   I never promote gateways as any sort of silver bullet. On the contrary, I’m the one that always emphasizes that there is no such thing as 100% security. But I also know our system and what the average merchant dedicates to security throughout the year. You would be hard pressed to find any merchant that dedicates as much to security as we do (in time or resources).

   The main argument here is distributed risk vs. consolidated risk. If all things were equal, security was security and everyone has an x% chance of a breach, then your argument would be accurate. But not everyone has an x% chance of a breach. Some have a much higher percent chance of one; others have a much lower percent chance. A big factory in the (x+y)% vs. (x-y)% chance, is the money and resources dedicated to security. The average merchant dedicates minimal amount of time and money to security. Not everyone can afford the thousands, hundreds of thousands, and sometimes millions of dollars it takes to be secure. For the average merchant, I firmly believe that reputable gateway that focus and provides secure solutions will reduce the merchants x% chance of being breached.

Leave a Reply