Slashdot Mirror

← Back to Stories (view on slashdot.org)

Credit-Card Data Breaches Drive Security Solutions

Posted by Zonk on from the it's-a-booming-market dept.

4foot10 writes with a link to a CRN article about the booming business of PCI adoption. The Payment Card Industry Data Security Standard (PCI DSS) was worked out by credit card companies as a guideline for securing customer data. As a series of high-profile customer information leaks have occurred over the last year, the business is increasingly getting lucrative for those who can keep up. "As PCI-related business begins to boom, security VARs and integrators find themselves in the enviable position of having almost too much work to handle. And there's plenty of room for the market to grow: Visa estimates that just 36 percent of Level 1 merchants (which process more than 6 million credit-card transactions annually) and 15 percent of Level 2 merchants (which process at least 1 million) have complied with PCI. Solution providers can either handle PCI-related assessments of companies' networks and then recommend solutions to address holes, or provide the remediation services after an audit, which often requires companies to implement firewalls or encryption to their networks."

43 comments

  1. The standard itself by ergo98 · · Score: 3, Informative

    The PDF isn't full of anything revolutionary, and most are just common sense data security, but it is a great starting point for securing virtually any highly confidential data.

    Far too many shops don't comply with the majority (or any) of the recommendations.

    1. Re:The standard itself by 4e617474 · · Score: 3, Informative

      and most are just common sense data security

      Oh, if only. Until recently I worked for a company that sells systems that perform credit card transactions for a particular segment of merchants (I don't want to say more than that for reasons that will become obvious soon enough. They went through a series of revisions in their product lines, but for the most part the systems are very hard to set up, configure, and troubleshoot, and if you were going to go looking for the most technically inept customer base their target industry would make the short list - so a means of remote access is a standard feature.

      For a number of years, this meant that you have a Unix box with an "everyday" user - username: [name of vendor of system] password: [same as username or blank] - the root user, with one of four or five short dictionary words for the password (and pretty much the same one in any given region of the country) - and the "application" user with a password that I'm told was relatively secure, but who cares when you have a pretty good chance of getting root before your dictionary cracker gets through the "B's". These machines were just sitting there with a modem waiting for anyone who could "cu" to dial in. Once you were in, and you had root, about a week's worth of credit card transactions complete with everything that can be read off the magnetic stripe were waiting for you in plain text.

      A few years down the road, they've gone Windows and they're ever so slightly too careful to have people telnetting in over the Internet, so they use PCAnywhere. Live modem, waiting for you to dial in (yes, dial-up remote administration of a Windows box - fun, fun, fun), username: [name of vendor] password: [name of vendor]. They got called on it, so they changed one of the two to a common word in English, I can't remember which. Once you're in, you're supposed to be signed in as a non-privileged user who's able to access the non-encrypted credit card data only because the permissions aren't always set very well, but usually the owner of the system just signs into their server as Administrator, makes sure that PCAnywhere is running in case the Help Desk needs to get in, and walks away. Their more security-conscious customers (they have a few) require a number of hoops to jump through that you won't be able to if you don't really work at the vendor. Their newest systems, they've encrypted the credit card data, and to decrypt it, you have to sign in to an application with a username that is not especially obvious but is one of the standard Windows users. The password used to be the vendor's name, but now (a few serivce packs down the road) its their name and the product number with some numbers substituted for letters and vice versa.

      To their credit, they've started making recommendations like "turn off the modem when you're not actively using it" and "if you use PCAnywhere for TCP/IP, don't use the default ports". This lead to support exchanges like:
      "We don't have the modem turned on anymore"
      "So turn it back on"
      "I don't know how"
      "Who does?"
      "He doesn't work here anymore"
      "You'll have to wait for the dealer to come out on Monday"
      "I did mention my business is hemorrhaging cash as I contemplate the value of the fix-figure support contract, right?"
      "Yeah, I get that a lot."

      My favorite would have to be the voice mail I got: "We set PC Anywhere to not use the default ports like you told us and now it doesn't work with our firewall, so you'll have to call when someone's here to use Webex." At least the company doesn't have a high turnover rate with lots of disgruntled employees who'd love to make them look bad. Oh wait a minute...

      --
      Finally modding someone offtopic when they rant about what "Begging the Question" means: priceless.
    2. Re:The standard itself by failedlogic · · Score: 1

      Wow. Well at least I take pride in only using cash (no debit cards) for fear of these situations. I'm fearful this is a lot more common.

    3. Re:The standard itself by Mondor · · Score: 1

      If you would only know how right you are. There are two major problems with PCI standard. First, it is greatly outdated. It tries to push some "well known and proven" security measures as if there could be no others more effective. It is like instruction to put red flags around the lawn to keep wolves away. You may get a high-tech fence instead, and this would solve the problem, but this would not make you compliant. Just put these red flags on.

      And second, which is funny, you don't have to pass PCI audit to pass PCI audit. You know, this business is all around money. Payment card processing centers service huge areas and canceling their contract would mean too serious problems for... the brand. We have two processing centers here in my 1-million city. If one of them loses ability to support VISA the first who gets hurt will be VISA, because it is not the only payment system out there. Although in Germany (Hamburg for sure) loosing the ability to accept EC/MC would mean end of business.

      So, what VISA invented to fight this problem - they just allow organizations to self-audit themselves. I.e. say that you are compliant, and you are compliant.

      I've seen networks of processing centers (sorry, no names, you know why). They are sweet! With NT4-driven production servers where everyone writes what he want where he want, where you can find accounts of people who were fired a year ago and security credentials written in plain text files. With WiFi routers plugged to the main switch and a year old WEP key. With server room where people store their beverages because refrigerator is too small. You know, it's like IT infrastructure of a hippy commune. The biggest miracle is why all their bases still belong to them, as it is much easier to hack into the processing center than ... well... hacking e-shop might be much more difficult.

      Processing centers are big companies, international ones, but their security measures are mostly laughable. Usually security specialists' only job is to talk using "difficult" security-related terms (like "stateful packet inspection") and if he sees that you understand what he said and find it funny, think that you're fired.

      What I see as the solution to this problem is to prohibit self-audit and it must be done not at VISA level but at the government level. I'm afraid what VISA is doing is just a sand into the eyes of naive public. So it must be enforced by someone who cares.

  2. Putting a band-aid on a sucking chest wound by Dachannien · · Score: 1, Insightful

    Instead of coming up with all these technological countermeasures, why don't the credit card agencies simply stop offering credit without actually verifying the identity of the credit requestor? Make the data useless by itself, and people will stop trying to obtain it.

    Oh, that's right, it's more lucrative to give out credit like candy, and then put responsibility for fraudulent charges on the merchants.

    1. Re:Putting a band-aid on a sucking chest wound by jd3nn1s · · Score: 2, Insightful

      The PCI DSS has nothing to do with stopping fraudulent credit applications. It's about making sure that payment information you have given to a merchant is protected from security breaches. The merchant is rightly responsible for this.

    2. Re:Putting a band-aid on a sucking chest wound by Dachannien · · Score: 1

      You don't get my point. If the payment information is worthless to identity thieves because they can't do anything with it, then there'll be no need for putting the burden for ridiculously heightened security on merchants.

    3. Re:Putting a band-aid on a sucking chest wound by scdeimos · · Score: 1

      The "ridiculously heightened security" as you put it is just common sense. It was only a couple of years ago that you could routinely use search engines like Google to search retailer web sites for files (as basic as plain text files and Access databases, etc.) containing customer payment and shipping information. Nowadays most retailers at least have their payment databases out of the webroot space (often on a different server), but I doubt whether more than a very few of them actually store the card data in an encrypted format as PCI suggests.

      The payment information includes all you need for fraud: Credit card number; card holder's name; expiry date and in the case of Visa a CVC. If that's accessible to anybody then they can use that information to make fraudulent purchases with it. They don't need to apply for another card at all, they just hijack someone else's.

    4. Re:Putting a band-aid on a sucking chest wound by jd3nn1s · · Score: 1

      How do you make the payment information worthless to someone wishing to carry out fraudulent purchases without new hardware systems?

  3. layers 1-3 aren't the biggest problem by bl8n8r · · Score: 4, Insightful

    The biggest problems facing internet security are greed, laziness, ineptitude, apathy and general ignorance. expensive credit card hardware cant fix pebkac, all it does is make newegg raise their shipping charges.

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
    1. Re:layers 1-3 aren't the biggest problem by Master+of+Transhuman · · Score: 1


      I agree with that entirely, but it also extends to the people writing the software and the devices.

      I have a client (more than one, actually) running QuickBooks 2007. This POS has to run as Administrator on a Windows box. There is theoretically a way to change that but the Web page describing it is extremely long - and there are no guarantees that the next update (QuickBooks has released many recently because the 2007 version is buggy as hell) won't screw that up.

      So in essence the entire small business market - and the accountants servicing that market - in this country is running on software that runs on Windows in Administrator mode.

      Why not just post everybody's credit card numbers on the Net now? It would just be a little easier for the hackers.

      I tried to get my client to switch all his workstations from Administrator mode to limited user mode. Then the staff complained about "productivity issues", which boiled down mostly to not knowing about Runas and using Windows XP Home which causes issues with customer attached drives (the company does media conversion and has to attach drives from customers to their workstations). So now they're all back in Admin mode until I can figure out some solutions to their main issues.

      But the kicker is the owner asks me why it's a problem to run in Admin mode if they have adequate AV (which they don't at the moment, but that's another issue) and other security measures and are behind a firewall. I have to explain to him that protecting a network involves a lot more than just securing the perimeter (not to mention that a firewall with a default password is hardly secure). You have to assume everything inside the perimeter is untrustworthy as well.

      It's the lack of comprehension of security at all - and the lack of interest when it involves actually changing user behavior - that is the problem.

      And that only changes when a company gets nailed to the wall from a security incident. And the longer they go without one, the worse their security gets. Only if they're one of the lucky - or utterly uninteresting - ones do they get to go for years without a security incident.

      Which means the luckiest companies have the worst security, probably.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  4. when even the source doesn't have a clue by l3v1 · · Score: 1

    I mean come on, the linked writing has the following text

    Security experts say every time a retailer ends up in the headlines for losing customer credit-card data, a PCI project gets its wings. And,as more companies look to the channel for help with securing their networks for PCI compliance, it's turning out to be a wonderful life for solution providers.

    in which they link the PCI acronym to an encyclopedia site detailing what PCI as in Peripheral Component Interconnect means.

    Good job.

    --
    I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
  5. PCI is Paternalism by Alexander · · Score: 1

    The standard, while a nice list of controls, has only a slight chance of helping those cannot/will not manage their risk. In the mean time it is nothing but another layer of wasteful bureaucracy (redundant?) for those who do a good job of managing their risk.

    But we call all rest easy knowing that some vendor has spent $5 per IP to get a "hackersafe" badge to throw up on his webiste.

    --
    "oohhh... I didn't know Schopenhauer was a philosopher!" ..."uhhh yeah, he's the one that begins with
    1. Re:PCI is Paternalism by Anonymous Coward · · Score: 0

      But we call all rest easy knowing that some vendor has spent $5 per IP to get a "hackersafe" badge to throw up on his webiste.


      But we can all rest easy knowing that some vendor has spent $5 per IP to get a "please hack me" badge to throw up on his website.

      There, fixed that for you.
  6. Problems drive solutions by houghi · · Score: 1

    Well DUH!

    --
    Don't fight for your country, if your country does not fight for you.
  7. PCI Compliance: good practices, but a joke... by spentrent · · Score: 0

    How can you rebill a customer without storing the CVV?

    1. Re:PCI Compliance: good practices, but a joke... by NC-17 · · Score: 1

      With specific Recurring Billing flags sent to the appropriate processor, perhaps with a reference to the original transaction as well. It can be done.

    2. Re:PCI Compliance: good practices, but a joke... by DogDude · · Score: 1

      The CVV isn't required for many merchant banks. Many merchant banks require other forms of extra information instead of the CVV, like the billing zip code.

      --
      I don't respond to AC's.
    3. Re:PCI Compliance: good practices, but a joke... by spentrent · · Score: 0

      Which means the processor is storing a CVV and thus not PCI compliant.

    4. Re:PCI Compliance: good practices, but a joke... by AJWM · · Score: 1

      Heck, I've seen self-service gas pumps that require the billing zip code.

      Mind, with the price of gas, I can understand the desire for extra security.

      --
      -- Alastair
  8. Recurring billing by Anonymous Coward · · Score: 0

    So riddle me this...

    PCI rules state that the CVV can not be stored under any circumstances, period, nada, zip...

    Our CC processing software company say they're working on a solution to allow recurring billing...

    Our backend processing company (Nova) say they're working on a solution to allow recurring billing...

    Both of the above would involve some form of submitting all CC/CVV details once at initial signup then being able to somehow *reference* that customer's account in the future without producing all those same details again.

    Neither has a solution ready to go yet. We need to automatically bill thousands of people each month for services they've purchased and agreed to recurring billing for. How do we charge them next month without having their card details stored? Number/Expiration we can store, as long as it's encrypted, but CVV is a vital component and the one that is strictly forbidden.

    -Between a rock and a hard place...

    1. Re:Recurring billing by Planesdragon · · Score: 1

      This is easy.

      1: Authorize a single transaction, including date/time, CC#, expiration, and ammount.

      2: Authorize "recurring payments", which stores #1 and includes what limits (if any) on the recurrence. (15/month? "paid in full" a month?)

      3: For each recurring payment, including CC# (et al) and reference to #1. Processor checks #1, and if it is (1) still valid and unrefuted and (2) satisfies #2's limits processes the payments.

    2. Re:Recurring billing by NC-17 · · Score: 1

      I would say, because it seems like such a large part of your business, that you find a new gateway/processing company to deal with, that already has this functionality in place. They do exist :)

  9. Bullshit by bluefoxlucid · · Score: 1

    Like any document, it gives a smart person a starting point and a dumb person (company) a way to say they're secure when they're really not. You need a 'firewall' and an 'IDS'; devices that qualify for this can do bare ass nothing (if you can justify why it's open and why you use it, it's probably fine to have open), though you can get a good tight firewall NEED-TO-ACCESS policy (allow what you need, isolate the servers from each other, deny any). I believe you can have access to the SQL database from the outside, for example; I'm pretty sure I've seen PCI compliant sites that have a set-up where they can use Enterprise Manager or something to manage their SQL server from another location, i.e. port 1433 is exposed to the Internet BUT THEY'VE CHANGED THE DEFAULT PASSWORDS (if it has a buffer overflow etc, you're screwed). Consider that a tight policy would put that behind the firewall and say, "Fuck you. Use SSH to get behind the firewall and forward port 1433 through it."

    These documents are excellent for true security engineers. For network engineers who are mostly business-oriented, they're also excellent, but only for having a way to back up your handwaving and create an insecure system that's touted as secure.

    --
    Support my political activism on Patreon.
    1. Re:Bullshit by jd3nn1s · · Score: 1

      The most recent version of PCI DSS states that any direct external availability of DBMS is an instant failure, and this is tested by the ASVs (or at least it should be). Any buffer overflows in remote available services should also be detected by the required quarterly vulnerability scans.

    2. Re:Bullshit by Alexander · · Score: 1

      "These documents are excellent for true security engineers"

      No. They're not. And for *true* risk managers, they're a joke and a waste of time.

      --
      "oohhh... I didn't know Schopenhauer was a philosopher!" ..."uhhh yeah, he's the one that begins with
  10. encrypt transmission across public networks .. by rs232 · · Score: 1

    You don't send sensitive information across the Internet period. On the client run an application that generates a unique one way hash of the transaction. This is sent to the server which performs the same hash using data stored on the server. It then sends a confirm msg to the client.

    On the server the data is stored encrypted and is accessed through well defined system calls. The encryption is done by a hardware module that sits between the harddrive and the system. That way if the server is sucessfully hacked the entire database is not compromised. The hardware module provides keys to the system so there is no security data lying about the disk or in memory to be hacked. All a network sniffer can do is access a one time encrypted transaction that can not be leveraged to provide usefull information.

    --
    davecb5620@gmail.com
    1. Re:encrypt transmission across public networks .. by jd3nn1s · · Score: 1

      So how does the server learn the credit card number etc necessary to perform the transaction?

    2. Re:encrypt transmission across public networks .. by Anonymous Coward · · Score: 0

      You don't send sensitive information across the Internet period.

      Indeed... Europe's slowly getting there. I can now log-in to my consumer bank and make wire-transfer, free of charge to any european country... All this without ever entering neither my name nor my bank account's number.

      Every login to the bank's Webapp needs the use of a one-time security token. Generating this number on the computer itself would still leave room for many attacks, this is not how it works. Instead, a number is generated by a physical device in my possession (provided by the bank), protected by a PIN.

      The last step would be to force the use of another one-time token for every single wire-transfer, computed on the physical device by entering the number of the account you want to transfer to.

      Some banks are already mandating that last step for transfers of important sum (and that is really close to a "good game" for people wanting to steal your money).

      Good luck on attacking that (neither sniffing nor MITM attacks work on that).

      The problem is that old mindset that having a credit-card number is all you need to purchase something. Of course this is coming less and less true. And bank and people continuing to be stuck in that middle-age scenario will keep loosing time and/or money.

      Anyone doing "eCommerce" in Europe knows it: the shift away from CC to wire-transfer is huge. Many people simply don't believe in CC anymore. They're fed up with CC number theft and with the recurring-billing-I-can't-stop-it fiascos that are all too common.

      Heck, I don't even *have* a CC now. I've got PayPal for selling and buying small items (no big loss here should my account be compromised) and I do wire-transfer for all the rest.

      CC ?

    3. Re:encrypt transmission across public networks .. by rs232 · · Score: 1

      'So how does the server learn the credit card number etc necessary to perform the transaction?'

      When you apply for a card, the server generates a unique identity. These details are stored on the card and on the server. The card is sent out to you and when in use a processor on the card generates a one time encrypted transaction from the data on the card. This is sent across the network to the server. The server performs the same transaction on the data stored in the server. If the two matches then the transaction is validated.

      If I recall correctly, these security chips are divided into two sections one holding the master key and data and a second that queries the first and communicates with the reader. The keys are not passed to the reader, only the one time transaction which is useless to the hackers.

      --
      davecb5620@gmail.com
    4. Re:encrypt transmission across public networks .. by jd3nn1s · · Score: 1

      OK so this solution requires additional hardware to allow your computer to interface with the chip on the card.

  11. What is the point for a lot of this when the out.. by Joe+The+Dragon · · Score: 1

    outsourced call center has all of your info and passwords.

  12. It's just broken by Jessta · · Score: 1

    The current way in which credit cards number are used is just broken. I find it amazing that it hasn't been fixed yet.
    Requiring that to make a purchase you have to give a shop all the information they require to make additional purchases on your behalf is just stupid.
    The solution is simple, public/private key cryptography.
    eg. http://jesstaa.blogspot.com/2006/06/credit-cards.h tml

    --
    ...and that is all I have to say about that.
    http://jessta.id.au
  13. The More Important Question... by Anonymous Coward · · Score: 0

    ...is when the credit card industry is going to grow some balls and stand up to the religious fanatics in the Bush administration who have been pressuring them to stop supplying credit card services to lawful. consenting adult erotica providers?

    http://www.interesting-people.org/archives/interes ting-people/200210/msg00036.html

    When are we going to start acting like America, instead of like some horrid Middle Eastern "Islamic Republic"?

  14. The side effects of giving billions to criminals by Anonymous Coward · · Score: 0

    Has anyone ever investigated the side effects of continually pouring billions of dollars into criminal industries? In essence the credit card industry is funding crime and terrorism through lax security and high tolerance of theft. It seems like this must be resulting in a phenomenal growth in all criminal industries worldwide. Using stolen credit cards as startup money to finance a boat purchase for human trafficking for example.

  15. Have to stop storing them by sam_handelman · · Score: 1

    It simply ought to be illegal for a business to store your credit card number (or bank account number.) In fact, it ought to be possible - especially on the internet - to do business without even disclosing your credit card number. The business opens a connection to Visa, and gives your browser the info it needs to complete the transaction from your end.

      If people want to bill you every month - they should send *you* an account number (which they could make easy to do, as above) and you instruct your bank/lender to send them $ every month. If you want to cancel their service, you stop paying them. "Cancellation charges", which are a major pain (and a violation of basic economic principles, to boot) should be illegal.

      At this rate the problem would be more or less solved. All of the security stuff (verifying the IP address where the purchase originates, for example) could be handled by the credit card companies themselves.

      Obviously businesses would be wildly opposed to this, because:
    a) Many of them want to be able to bill you until they decide to stop. 90% of the time, they can extract an extra $50 per customer just by making cancelling their service a pain.
    b) They want it to be convenient for you to give them money. Among other things, they really want grandma to be able to buy things repeatedly after only entering her credit card number once.
    c) They want to store all of the data on you they can, on general principle.

    --
    The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
  16. Credit-Card Data Breaches Drive Ambiguous Titles by wirelessbuzzers · · Score: 1

    Wow. I always thought that the benefits of those encrypted Seagate drives were marginal, but I'd never have guessed that you could breach them with just a few credit card numbers.

    --
    I hereby place the above post in the public domain.
  17. I certify people. by Anonymous Coward · · Score: 0

    I work for the PCI-certified Approved Scan Vendor (ASV) Qualys.

    This is a timely article, as yesterday was the end of the quarter, and proof of PCI compliance was due. In addition, this is the first quarter that AMEX and VISA are actually fining customers if they do not meet compliance on time - starting at $5k USD per day!

    As such, we have been extremely busy with the volume of customers who use us for PCI compliance. We even have a seperate service to handle this business, apart from our flagship vulnerability management product, QualysGuard. (Note: We're upgrading today, 3/31, so you will see an 'Under Construction' page for it).

    My perspective on PCI compliance, from working with our customers on it, is that it is actually a crapload of work for companies to do. The standard is actually a pretty high bar. For example, a webserver that allows SSLv2 will fail you, or a VPN device that allows connections with regular DES.

    It may not be a perfect standard (how do you deal with 0-day exploits that have no fix, but represent a serious vulnerability?), but it's a pretty good starting point, IMNSHO.

  18. No it doesn't by Chuck+Chunder · · Score: 1

    It just means processing through a terminal where CVV is not a requirement.

    I have worked with several gateways/processors and the details depend a lot on their implementation. However typically we set up two accounts, a CVV account and a non CVV account. We funnel initial transactions through the CVV account and recurring transactions through the non-CVV accounts.

    Sometimes explicit linkage is required (ie a transaction reference for the initial transaction) and sometimes there is just "trust" that the no-CVV account isn't being abused.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park
  19. Scanning only part of PCI by Chuck+Chunder · · Score: 1

    My perspective on PCI compliance, from working with our customers on it, is that it is actually a crapload of work for companies to do. The standard is actually a pretty high bar. For example, a webserver that allows SSLv2 will fail you, or a VPN device that allows connections with regular DES.

    Making sure the systems don't raise any security scanning flags can be a pain but mostly it's a tick the box affair. (I have had to handle the SSL issue you mention. Actually disabling SSLv2 is easy, the hard part is getting all your long term clients who have been happily processing to update their side where necessary! Ultimately telling them that if they don't make their client SSLv3/TLS capable by the end of the week then they won't be able to process does the trick.)

    For me the interesting part is in limiting exposure if there is a security failure. The fundamental problem is that the applications need to store credit card information to be useful, the applications need to store credit card numbers to do what they have to do (issue credits, do recurring billing etc).

    The PCI documentation talks about encrypting information but in my opinion most of that is largely obfuscatory rather than giving any real security. You can have all the data encryption keys and key encryption keys you like but if the application needs to decrypt that data to do it's job then someone who compromises the application can get at it too. The best thing you can do in terms of minimising exposure is determining how long you need to keep data for and getting rid of it after that.

    Any real solutions to avoid the necessity of storing card information would need to come down from the card issuers. Personally though I am not sure they are motivated to change the status quo, they must make an absolute bundle out of charging merchants for chargebacks and so forth.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park