Target: Yep, They Made The Worst Decision Imaginable

In the most ridiculous decision possible, Target have agree to ACCELERATE their ‘smart card rollout’ to the tune of about $100M;

Target to accelerate $100 million chip-enabled smart card program: CFO, Reuters, Feb 03, 2014

Let me say that again; ONE HUNDRED MILLION DOLLARS!

How exactly are these new smart cards (which is EMV / Chip & PIN obviously)  going to reduce “cyber theft” when they do absolutely nothing except prevent card present fraud? It’s not as though this amazing chip-enabled technology actually encrypts the cardholder data point-to-point (that’s a terminal function, if available), so it doesn’t stop Target saving the data post-auth. And because not ALL US retailers and merchants are going to accelerate THEIR programs, Target have done nothing to prevent the real menace; card NOT present fraud.

What are they going to do when their customers start demanding other forms of payment, like mobile? Or when they start losing market share because value-add services won’t integrate with their shiny new static-function payment terminals? Spend ANOTHER $100M?

I’ve said it a hundred times, payments is NOT about the payment functionality itself, it’s about the AUTHENTICATION of the individual trying to MAKE the payment. In that, Target are completely missing the point.

If this is pressure from the card brands shame on them, if it’s pressure from ‘Government regulators’, shame on THEM, but if this is just Target being short-sighted and throwing good money after bad, then I hope their share-holders wake up before it’s too late.

I for one would be really pissed if had a vested interest in this.

Target Breach – Part III: Their Next Step Could Be Their Biggest Mistake

For the purposes of this blog, I’m going to assume the rumours are true, but if they’re not, both the premise and the message to large retail is still largely valid.

Apparently, Target will be replacing their current point of sale / terminals with a Verifone ‘solution’ capable of Point to Point Encryption (P2PE), and I assume, EMV and NFC as well. So it wasn’t bad enough that they lost 40M credit card numbers – the repercussions of which will cost them millions – they are now going to spend even more multi-millions to continue to accept the root cause of their troubles; the credit card.

Yes, the new Payment Entry Devices (PEDs) may encrypt the cardholder data from the swipe onwards, and this MAY take the large portion of the authentication channel out of scope for PCI, but nothing fundamentally has changed. The only significant payment channel is a custom built, exceedingly expensive system that can only accept credit cards. I estimate that $25,500,000 would be required to replace the PEDs alone (1,700 locations X 30 lanes per store X $500 per PED)!

Forget the fact that they will also have to pay for the P2PE service, as well as fundamentally change every business process relating to payments, they will STILL have to pay the card brands astronomical sums in fees! Their 2013 net revenue was ~$73 billion, so let’s say (conservatively), 15% was credit card revenue, and that Target have a preferred interchange rate of 1%, that means in 2013 alone, Target paid the card brands $109.5 MILLION just for the ‘privilege’ of letting the customers use a credit card.

$25.5M + $109.5M = $135M, how many innovations in payments could that fund? Or more to the point; how many alternative methods of payment AUTHENTICATION could that fund which would vastly improve the security of the transactions, and render the card brands’ 60+ year old technology obsolete once and for all?

Now imagine if they got together with Walmart, and Metro, and Aldi, and Costco and the rest of the world’s top 10 retailers, who, using the above maths, pay the card brands a combined $1.7 BILLION in fees, just how much influence do you think they would have?

And that’s really the point; the retailers don’t seem to know just how much power they have. They in fact hold ALL the cards, but not one of them wants to be the first to play them for fear of losing the competitive edge to the others. If they could only put aside their differences for a while, they could, all by themselves, create the necessary momentum to change the way we perform non-cash payment on a global basis.

The card brands won’t do it, it’s 100% of their business, the banks won’t do it, they make their own profits, and no-one else who has a vested interest in the status quo will make any effort to provide alternatives. Can’t say as I blame them, business is business, and it’s not as though the average consumer is clamouring for choice. But the retailers, they have by far the most to gain, and they have by far the most direct influence on how people shop.

Someone has to go first, and Target now have the perfect opportunity to spend their money future-proofing their payment infrastructure, but only if they finally understand that payments are NOT a core function, selling stuff is, and that their customers will adopt ANYTHING that’s cheaper, easier, and safer.

They have an image to fix, but this is not the way to go about it.

Target Breach – Part II: What Does This Say About The PCI DSS?

As I stated in my previous article Target Breach: What Does This Say About Their QSA?, the more naive questions that inevitably follow a major breach like this revolve around a couple of things:

  1. What good is the PCI Data Security Standard if this kind of thing still happens, and;
    o
  2. What did the QSA do wrong?

Both of these questions are the WRONG questions to ask, and display an ignorance of good security practices, the PCI compliance assessment process, and the intent of the PCI standard itself.

First, the intent of the standard was never to prevent beaches from happening entirely, that’s impossible, so the intent was always to REDUCE the instances of breaches to a point that can be considered ‘best efforts’. Every other standard or security framework out there use phrases like ‘reasonable’ or ‘appropriate’, and make absolutely no effort whatsoever to help you figure out what these things mean in your environment.

PCI went the other way, and explicitly implied (by the very nature of the DSS) that if you implement all of the controls, that the resulting risk reduction was good enough. Not once did they ever say PCI compliance was actual security, and not once did they ever say that you should stop your security program AT compliance. The PCI DSS has always been, and will always BE a minimum set of controls around a single form of data, and should NEVER have been seen as enough security for your business.

So, ANY individual who is surprised when a company that has achieved compliance is breached, should do their homework before pointing fingers. Target was an enormously valuable prize for thieves, and warranted an effort far above anything PCI compliance, or maybe even good security, could have hoped to prevent.

As for the QSA, you just have to look at the assessment process itself to see that the PCI DSS should never be confused with either a comprehensive security framework, or even a reasonable assessment of compliance. Any standard that allows both sampling, AND point-in-time validation, can only ever be seen as scratching the surface, especially with an organisation the size, distribution, and complexity of Target. There is simply far too much that the QSA will not see in a given year to point fingers in that direction.

Sampling is a privilege, not a right, and has to be earned. You start at 100%, and work down from there, and to even allow sampling in the first place, a few things must be in place:

  1. Standardised Builds: Just because every Windows system is built from the same base image (for example), does not mean that all Windows systems can be sampled randomly. Every system function, location, admin team, etc. must be taken into account, and a justifiable cross section of systems included.
    o
  2. Centralised Maintenance/Management: For sampling to be valid, it must be shown that ALL systems in the environment are maintained identically. From patching, to updates, to anything else that affects the ‘like’ systems, uniformity must be demonstrated.
    o
  3. Centralised Monitoring: Unless all systems in the estate where sampling is proposed are monitored centrally, each distinct monitoring unit must be handled separately.

In other words, unless you can show how the systems are configured identically, managed identically, and monitored identically, sampling is not an option. Even with this in place, the potential gaps are significant.

As for the point-in-time aspect, even the cards brands themselves don’t understand that at the time of compliance, the assessment process allows validation evidence that’s 364 days old. There is nothing in the DSS, or any other document produced by the SSC, that states that validation evidence cannot be more than x days/months old.

Instead, it seems to be assumed that the RE-certification process, including evidence gathering, happens in the last few weeks of the compliance cycle. It simply does not work that way. Unless you provide a list of evidence / remediation requirements MONTHS in advance of your client’s compliance deadline, any surprises can either prevent re-compliance, and/or create significant internal re-tasking. So, generally, this will involve collecting evidence 6 months old at a minimum.

A lot can happen in 6 months.

As I stated at the end of my previous blog on the Target breach, the fault – IF there is any – lies with Target stopping their security program at just PCI compliance. If they didn’t stop there, and had gone above and beyond, then it’s just one of those things, hopefully a lesson learned, and we should all focus on something a little more constructive.

Like getting away from the use of credit cards for example…

Target Breach: What Does This Say About Their QSA?

According to the pre-forensics news, the breach was a result of malicious software installed on Point of Sale (POS) devices in a significant number (potentially all) of their locations across the US.

The thieves were apparently able steal not only the card numbers, but the track data and the PIN numbers as well, suggesting that the breach involved ‘sniffing’ the information off the wire. This data was obviously unencrypted from the point of swipe, suggesting also that the PEDs / terminals are either not configured to do so, or are older models not capable of doing so.

Of course, this is all speculation, and it may be as simple as a concerted attack with skimming devices, but 40 MILLION cards lost at so many locations certainly suggests something more centralised, and far more fundamental.

Once the fuss dies down, there will be the inevitable ‘blame storming’ questions. For example:

  1. How did this happen if they were PCI compliant?
    o
  2. Who was their QSA, and how did they miss something so major?
    o
  3. Why are we still using credit cards when they are so insecure?

…and so on.

The first one is easy, and anyone who STILL thinks PCI compliance means that they were secure knows nothing about PCI, and even less about security. More detail in my blog Stop Confusing PCI Compliance With Actual Security. As a corollary, there are many QSAs who think that PCI compliance is enough, and either don’t even try to help their clients toward a proper security posture, or assume PCI is about compliance in the first place. They should, and it’s not, respectively.

PCI compliance was only introduced to try to prevent things like the Target breach from happening, do you really think the cards brands care about actual compliance itself if it means credit card data is still vulnerable?

As for the second, the name of the QSA will no doubt come out in time, but blaming THEM for not doing their job properly is like blaming a single doctor for not curing all the world’s illnesses, it simply does not work that way. To any QSA company who tries to use this breach to bad mouth either the incumbent QSA company, or the QSA assessors, I say they had better have their own house 100% in order, because what goes around, comes around.

No QSA can EVER have the depth or breadth of knowledge of an organisation the size and complexity of Target and be able to determine 100% compliance, not when sampling and point-in-time validation are part and parcel of the assessment process.

As for the third one, that’s a question for the ages, and beyond the scope of this blog. I don’t like credit cards, as the majority of my blogs will attest, but they are going to be around for a while, so we had better come up with a better way of protecting them than compliance to the PCI DSS can ever provide.

For a start, does Target need to accept credit card payment themselves? Are home grown payment applications and systems core to their business? The answer to both is no, they are in business to sell things, that’s all, payments are just the MEANS to that end. Simplify, and/or outsource that function to an organisation that specialises in it, or at least consider the possibility.

Eventually credit cards will go away, but the need to properly authenticate a payment, and protect personal data will not. PCI does not get ANY organisation where it needs to be, and if you want to blame anyone for this breach, look no further than Target, they are the ones with all the cards in their hands, not the QSA.

====================

Update 20-Dec-13: In case my words above are unclear, I am VERY much against blaming QSAs for breaches when there is so much wrong with both the assessment process, and the standard itself. Yes, there are some crappy QSAs, but I seriously doubt this was something Target’s QSA missed. This was most likely a very sophisticated attack that even a security posture far above PCI compliance would have been able to stop.

Also, to whomever tried to post the name of the QSA as an employee OF that QSA, there is nothing I have seen in my career that is more unprofessional or more lacking in integrity. You are a coward.