When Merchants Get Rid Of Cardholder Data

Saturday, October 09, 2010

PCI Guru

Fc152e73692bc3c934d248f639d9e963

I started thinking about this a couple of months ago.  I think this is one of the problems we have in our industry as well as society as a whole.  We do not take the time to think about what our actions might result in. 

If we did, we might not continue to end up with ever larger problems.

There appears to be this belief that once merchants get rid of cardholder data, life will be so much better and safer.  But is that really what will happen?  What does happen once merchants get rid of cardholder data?  Do the clouds part?  Is there sunshine forever?

Granted this is all my suppositions, but I think it probably fairly portrays what will happen once cardholder data is out of merchants’ systems.

Merchants have been led to believe that attackers will have to move their target to where the data will have moved which would be service providers, processors and acquiring banks. 

But merchants are not out of the woods once they no longer store cardholder data.  In their efforts to get to the service providers, processors and acquiring banks, the attackers will take whatever route they have to in order to achieve their objective. 

Merchants may no longer store cardholder data, but they will transmit it and possibly still process it.

Merchants have to connect to service providers, processors and/or acquiring banks, so they are still part of the transmission of cardholder data. 

As security professionals like to say, “Security is only as good as its weakest link.”  Where is the weakest link? 

Unfortunately, it will be merchants.  Even though they no longer store cardholder data, they are still a target and will need to continue investing in security so that they protect their business partners. 

If you think it was tough selling merchants on securing cardholder data, imagine selling them on securing their business partners after they stop storing cardholder data.

Since merchants will still come in contact with credit cards in order to obtain payment, they will need something like end-to-end encryption or other security measures so that when a customer pays with their credit card, the connection between the card and the processor is secured. 

That now makes the credit card terminal or the integrated POS workstation the prime target to intercept cardholder data.  Therefore, criminals will move their focus to supplying merchants or their equipment suppliers with doctored terminals or integrated POS software to intercept cardholder data. 

There have already been documented incidents of this happening, so one has to assume that these sorts of incidents will just increase in occurrence.

Chip and PIN can resolve some of this, but as some security researchers recently showed, Chip and PIN can also bring a new set of problems.  Everyone looked at this exploit as too difficult to pull off. 

However, if you truly read the researchers’ report, you see that it would only take the doctoring of a terminal to execute.  But the PCI SSC says that terminals are “dumb.”  Yet a lot of the terminals being used these days have the processing capability of a netbook.

To exacerbate the situation with the terminal, you have the problem of what to do when the terminal cannot connect to the service provider, processor or acquiring bank. 

Even in this age of high network availability, there will always be the occasional incidence of the knocked over utility pole or network failure.  In these instances there has to be a way to conduct the transaction as merchants are not going to deny sales because the network is down. 

There are a couple of ways to deal with this situation.  The first is to fall back to the good old “knuckle-buster” and paper forms.  You then need to deal with the security of the forms, but that can usually be handled the same as how a merchant secures their cash.

The second option is to put a form of intelligence in the terminal or integrated POS solution to conduct the transaction without the network. 

However, this involves the temporary storage of the cardholder data in the device until the network is available.  Where this typically goes wrong is that the device does not properly clear the data once it has been transmitted. 

Most people would say, “So what?  The attackers would have to know when the network was down.”  True. 

But what if the attackers doctored the terminal or POS software and periodically just didn’t allow a certain number of transactions process?  Do you think people would notice?  They would probably write it off as the technology just acting up.

In the end, merchants are only a little better off than when they stored cardholder data.  Until a new system is developed, we need to mitigate the risks of the existing system. 

That is what the PCI standards are all about.  They were developed to mitigate the risks presented by the current credit card processing system.  They are not perfect, but they do reduce the risks to an acceptable level if they are followed.

Cross-posted from PCI Guru

Possibly Related Articles:
7393
PCI DSS
PCI Data Loss Prevention
Post Rating I Like this!
7377f47f95a1202ea8d330061b674dea
Lawrence Pingree Most merchants only care so far as they have a checkmark box next to everything in PCI. I know its sad, but that's just how it is. They only want to spend the bare minimum to keep up with the standard. Security risk is not so important to them and they'll only address it if the PCI standard allows them to spend money to obtain risk reduction, otherwise it gets ignored and accepted by management.
1286726284
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.