[Disclaimer: The following is based on information received from a single acquirer, and I have been unable to corroborate any of this from other sources.]
Have you seen Visa Europe’s new fine structure for cardholder data breaches? Can you afford THAT kind of loss? More importantly; Are you really PCI compliant, or did you just fake your way through a Self Assessment Questionnaire (SAQ)?
In case you weren’t aware, the fines for a breach are levied against the results of the mandatory forensics investigation, not just your self-assessment status. Anyone caught lying on a self-assessment attracts the maximum fines, and rightfully so.
OK, full disclosure on the title, I did go straight into a worst case scenario, but would you read about PCI otherwise? If you’re like 99% of the people I’ve ever had as PCI clients, you care nothing about PCI compliance per se. Other than wanting it to just go away of course. Historically, even threats of fines have done little to motivate organisation to take PCI seriously.
Until now perhaps.
But first, believe it or not, some good news!; “Assessments levied for non-progressions and portfolio targets have been withdrawn.” – in other words, there will no longer be Visa Europe-defined fines for non-compliance. This is not to say your ACQUIRER can’t fine you, but Visa has only ramped-up the fines in the back-end.
In this case, the ‘back-end’ means you’ve been breached, and there is now a whole host of things you have have to take into account to work out your potential losses:
- The loss of 1 PAN & CVV attracts a fine of €18.
- There is a €3,000 ‘Account Data Compromise (ADC) Management Fee’ imposed on all breaches.
- For penalties over €100,000, the fines can be capped at “5% of the merchant’s Visa gross annual purchase volume in 12 months prior to the initial notification.” I assume this is entirely discretionary and weighed against the egregiousness of the non-compliance.
- Did the acquirer correctly report the merchant’s compliance status? – Even is the status is non-compliant, there is a 25% reduction in fines for correct reporting.
- Are the ‘majority’ of the merchant’s transactions authentication with Verified-by-Visa (VbV) – 50% reduction in fines if yes.
- Non-compliant Level 4 Merchant puts 1,000 PAN and CVV2 numbers at risk – Acquirer correctly reported compliance status, and VbV is in place;
PAN & CVV 1000 x €18: € 18,000.00 Compliance Reductions @ 25%: -€ 4,500.00 Sub Total: € 13,500.00 VbV Reduction: -€ 6,750.00 Sub Total: € 6,750.00 ADC Management: € 3,000.00 Cap Applied: N/A Grand Total: € 9,750.00
- ‘Compliant’ Level 3 Merchant puts 5,000 PAN and CVV2 numbers at risk – Acquirer incorrectly reported compliance status, and VbV is not in place;
PAN & CVV 5,000 x €18: € 90,000.00 Compliance Reductions @ 25%: € 0.00 Sub Total: € 90,000.00 VbV Reduction: € 0.00 Sub Total: € 90,000.00 ADC Management: € 3,000.00 Cap Applied: € 25,000.00 Grand Total: € 28,000.00
- Non-compliant Level 2 Merchant puts 75,000 PAN and CVV2 numbers at risk – Acquirer correctly reported compliance status, and VbV is in place. No penalty cap applied;
PAN & CVV 75,000 x €18: € 1,350,000.00 Compliance Reductions @ 25%: -€ 337,500.00 Sub Total: € 1,012,500.00 VbV Reduction: -€ 506,250.00 Sub Total: € 506,250.00 ADC Management: € 3,000.00 Cap Applied: N/A Grand Total: € 509,250.00
Will Visa Europe’s new fine structure get merchants moving towards compliance? I seriously doubt it. Frankly nothing will get them moving unless the CEO / BoD see these fines as a legitimate business risk instead of a worst case scenario. And what are the chances of that when the cost of properly securing cardholder negatively impacts the quarterly numbers?
Fining for non-compliance was stupid anyway. It basically forced merchants to just lie on their SAQs and do nothing to actually reduce the risk. Huge fines for a breach is arguably a more appropriate way of punishing those who egregiously ignored the standard. But it’s still after the fact.
But what if the card schemes actually provided INCENTIVE for achieving [and appropriately demonstrating] compliance? Reduced interchange rates perhaps? Financial incentive to adopt their increasingly desperate ‘innovations’ maybe? Wouldn’t THAT be something.
[If you liked this article, please share! Want more like it, subscribe!]
The information security sector is rife with negativity and pronouncements of doomsday, and while this title is no better, this blog is not meant to scare, but to provide an alternative view of the worst case scenario; a data breach and resulting forensics investigation. The fact remains that if your data is online, someone has the necessary skill-set and wants it badly enough, they are going to get it. So the sooner you prepare yourself for the inevitable, the better you will be able to prevent a security event from becoming a business-crippling disaster.
By the time you make your environment as hack-proof as humanly possible, the chances are you have spent far more money than the data you’re trying to protect was worth, which in security equates to career suicide. Instead, you are supposed to base your security posture on the only thing that matters; a business need, then maintain your security program with an on-going cycle of test > fix > test again.
Unfortunately what happens in the event of a breach is that you are told what was broken and how to fix it from a technical perspective. This is analogous to putting a plaster / band-aid on a gaping wound. You’re not actually fixing anything. A forensics investigation, instead of being seen as the perfect opportunity to re-examine the underlying security program, is seen as an embarrassment to be swept under the carpet as soon as possible. Sadly, valuable lessons are lost, and the organisation in question remains clearly in the sights of the attackers.
For example, let’s say a breach was caused by an un-patched server. The first thing you do is fix the server and get it back online, but all you have you have done is fix the symptom, not the underlying cause;
- How did you not KNOW your system was vulnerable? – Do you not have vulnerability scanning and penetration testing as an intrinsic part of a vulnerability management program?
- How did you not know your system wasn’t patched? – Is not patch management and on-going review of the external threats landscape also part of your vulnerability management program?
- Did the breach automatically trigger a deep-dive examination of your configuration standards to ensure that your base image was adjusted accordingly?
- Did you fix EVERY ‘like’ system or just the ones that were part of the breach?
- Did your policy and procedure review exercise make ALL necessary adjustments in light of the breach to ensure that individual accountability and requisite security awareness training was adjusted?
- Were Incident Response, Disaster Recovery and Business Continuity Plans all updated to incorporate the lessons learned?
And perhaps the most important part of any security program; Is the CEO finally paying attention? Ultimately this was their fault for not instilling a culture of security and individual responsibility, so if THIS doesn’t change, nothing will.
If the answer is no to most of these, you didn’t just not close the barn door after horse bolted, you left the door wide open AND forgot to get your horse back!
Most breaches are not the result of a highly skilled and concerted attack, but by those taking advantage of the results of systemic neglect on the part of the target organisation. i.e. MOST organisations with an Internet presence! Therefore, organisations that can work towards security from the policies up, and the forensics report down, have a distinct advantage over those who do neither.
[If you liked this article, please share! Want more like it, subscribe!]
For the purposes of this blog, I’m going to assume the rumours are true, but if they’re not, both the premise and the message to large retail is still largely valid.
Apparently, Target will be replacing their current point of sale / terminals with a Verifone ‘solution’ capable of Point to Point Encryption (P2PE), and I assume, EMV and NFC as well. So it wasn’t bad enough that they lost 40M credit card numbers – the repercussions of which will cost them millions – they are now going to spend even more multi-millions to continue to accept the root cause of their troubles; the credit card.
Yes, the new Payment Entry Devices (PEDs) may encrypt the cardholder data from the swipe onwards, and this MAY take the large portion of the authentication channel out of scope for PCI, but nothing fundamentally has changed. The only significant payment channel is a custom built, exceedingly expensive system that can only accept credit cards. I estimate that $25,500,000 would be required to replace the PEDs alone (1,700 locations X 30 lanes per store X $500 per PED)!
Forget the fact that they will also have to pay for the P2PE service, as well as fundamentally change every business process relating to payments, they will STILL have to pay the card brands astronomical sums in fees! Their 2013 net revenue was ~$73 billion, so let’s say (conservatively), 15% was credit card revenue, and that Target have a preferred interchange rate of 1%, that means in 2013 alone, Target paid the card brands $109.5 MILLION just for the ‘privilege’ of letting the customers use a credit card.
$25.5M + $109.5M = $135M, how many innovations in payments could that fund? Or more to the point; how many alternative methods of payment AUTHENTICATION could that fund which would vastly improve the security of the transactions, and render the card brands’ 60+ year old technology obsolete once and for all?
Now imagine if they got together with Walmart, and Metro, and Aldi, and Costco and the rest of the world’s top 10 retailers, who, using the above maths, pay the card brands a combined $1.7 BILLION in fees, just how much influence do you think they would have?
And that’s really the point; the retailers don’t seem to know just how much power they have. They in fact hold ALL the cards, but not one of them wants to be the first to play them for fear of losing the competitive edge to the others. If they could only put aside their differences for a while, they could, all by themselves, create the necessary momentum to change the way we perform non-cash payment on a global basis.
The card brands won’t do it, it’s 100% of their business, the banks won’t do it, they make their own profits, and no-one else who has a vested interest in the status quo will make any effort to provide alternatives. Can’t say as I blame them, business is business, and it’s not as though the average consumer is clamouring for choice. But the retailers, they have by far the most to gain, and they have by far the most direct influence on how people shop.
Someone has to go first, and Target now have the perfect opportunity to spend their money future-proofing their payment infrastructure, but only if they finally understand that payments are NOT a core function, selling stuff is, and that their customers will adopt ANYTHING that’s cheaper, easier, and safer.
They have an image to fix, but this is not the way to go about it.
As I stated in my previous article Target Breach: What Does This Say About Their QSA?, the more naive questions that inevitably follow a major breach like this revolve around a couple of things:
- What good is the PCI Data Security Standard if this kind of thing still happens, and;
- What did the QSA do wrong?
Both of these questions are the WRONG questions to ask, and display an ignorance of good security practices, the PCI compliance assessment process, and the intent of the PCI standard itself.
First, the intent of the standard was never to prevent beaches from happening entirely, that’s impossible, so the intent was always to REDUCE the instances of breaches to a point that can be considered ‘best efforts’. Every other standard or security framework out there use phrases like ‘reasonable’ or ‘appropriate’, and make absolutely no effort whatsoever to help you figure out what these things mean in your environment.
PCI went the other way, and explicitly implied (by the very nature of the DSS) that if you implement all of the controls, that the resulting risk reduction was good enough. Not once did they ever say PCI compliance was actual security, and not once did they ever say that you should stop your security program AT compliance. The PCI DSS has always been, and will always BE a minimum set of controls around a single form of data, and should NEVER have been seen as enough security for your business.
So, ANY individual who is surprised when a company that has achieved compliance is breached, should do their homework before pointing fingers. Target was an enormously valuable prize for thieves, and warranted an effort far above anything PCI compliance, or maybe even good security, could have hoped to prevent.
As for the QSA, you just have to look at the assessment process itself to see that the PCI DSS should never be confused with either a comprehensive security framework, or even a reasonable assessment of compliance. Any standard that allows both sampling, AND point-in-time validation, can only ever be seen as scratching the surface, especially with an organisation the size, distribution, and complexity of Target. There is simply far too much that the QSA will not see in a given year to point fingers in that direction.
Sampling is a privilege, not a right, and has to be earned. You start at 100%, and work down from there, and to even allow sampling in the first place, a few things must be in place:
- Standardised Builds: Just because every Windows system is built from the same base image (for example), does not mean that all Windows systems can be sampled randomly. Every system function, location, admin team, etc. must be taken into account, and a justifiable cross section of systems included.
- Centralised Maintenance/Management: For sampling to be valid, it must be shown that ALL systems in the environment are maintained identically. From patching, to updates, to anything else that affects the ‘like’ systems, uniformity must be demonstrated.
- Centralised Monitoring: Unless all systems in the estate where sampling is proposed are monitored centrally, each distinct monitoring unit must be handled separately.
In other words, unless you can show how the systems are configured identically, managed identically, and monitored identically, sampling is not an option. Even with this in place, the potential gaps are significant.
As for the point-in-time aspect, even the cards brands themselves don’t understand that at the time of compliance, the assessment process allows validation evidence that’s 364 days old. There is nothing in the DSS, or any other document produced by the SSC, that states that validation evidence cannot be more than x days/months old.
Instead, it seems to be assumed that the RE-certification process, including evidence gathering, happens in the last few weeks of the compliance cycle. It simply does not work that way. Unless you provide a list of evidence / remediation requirements MONTHS in advance of your client’s compliance deadline, any surprises can either prevent re-compliance, and/or create significant internal re-tasking. So, generally, this will involve collecting evidence 6 months old at a minimum.
A lot can happen in 6 months.
As I stated at the end of my previous blog on the Target breach, the fault – IF there is any – lies with Target stopping their security program at just PCI compliance. If they didn’t stop there, and had gone above and beyond, then it’s just one of those things, hopefully a lesson learned, and we should all focus on something a little more constructive.
Like getting away from the use of credit cards for example…