Visa and Genesco conflict highlights PCI misstep
Mark Bower says issues around PCI compliance have been highlighted by litigation between a US retailer and Visa
Stories circulating about the litigation between US clothing retailer Genesco and Visa over PCI compliance and a data breach highlight some of the grey areas of PCI DSS. At the same time, this underlines how retailers may misinterpret PCI DSS and what it means to them in reducing risk.
Retailers and resellers can easily avoid the pain of a breach – and get rid of the PCI DSS challenge in a major way – but there are some unusual and conflicting issues of PCI compliance.
We will no doubt learn more about what happened in this specific data breach, but already there are lessons to be learned and more questions that need answers. Let's take stock of the events.
The breach was in 2010, as per the notification records on file to various state attorneys general. Genesco took the breach seriously, and began the notification process – so they were on the right track.
However, the breach was a result of servers becoming infected with malware. How did the attackers get in? What was being done to protect cardholder data on these systems? And what did the hackers really get?
A big goal of PCI DSS compliance is mitigating risk, not just ticking boxes for compliance's sake. The malware risks to servers and POS systems were not new and retailers have been warned about these threats by Visa, MasterCard and many others.
So, with major breaches taking place – especially in retail – and the warning bells ringing loudly, merchants concerned about managing risk and reputation were already taking steps to go beyond PCI DSS, adopting end-to-end data encryption.
PCI DSS is not perfect; even the PCI council would attest to that. But it is quite specific: from the breach notifications, it appears that Track 2 data may have been compromised. Track 2 data is of great use to thieves, because it can be used to create counterfeit cards. This was the data potentially stolen in this case.
There is a grey area in PCI DSS relating to pre-authorisation data – the cardholder data used for authorisation of a payment from the payment processor. The actual payment may be settled at the end of the day using the authorisation response information and the card data.
That is why post-authorisation storage of cardholder data must be protected if stored, as per per PCI DSS 3.2. However, the tricky part of PCI DSS is that pre-authorisation data: PCI DSS mandates the following:
*3.2: Do not store sensitive authentication data after authorisation (even if encrypted);
*3.2.1: Do not store the full contents of any track (from the magnetic strip located on the back of a card, equivalent data contained on a chip, or elsewhere); and
*4.1: Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, et cetera) to safeguard sensitive cardholder data during transmission over open, public networks.
The assumption is that card payment authorisations are real-time events at payment and therefore there is no need to store it as it is captured, processed and done with. Perhaps the attackers stole the data in this small window of opportunity, sniffing data as it was read for the pre-authorisation processes.
This is still a big gap in PCI DSS and this may be where Genesco is heading with its claims. Perhaps we will find out, but the bottom line is that being compliant at one point in time does not provide protection against advanced threats. If there is any data in the clear, it's at risk unless it is encrypted.
So let's focus on that small window of opportunity for compromise. Genesco made some unusual claims in this regard, perhaps thinking that by rebooting servers it could reduce risk by "getting rid of data". That is not the right way to secure data; most breach investigation reports show that the time from most compromised servers to data being stolen can be as little as a few milliseconds for advanced malware.
Verizon's data breach report for 2012, for instance, suggested that 10 per cent of attacks manage to compromise the system in seconds, while 75 per cent happen in just minutes.
The only way to avoid risk is ensure no live data is available to attack in the first place. Rebooting servers as a strategy to eliminate risk is not effective against persistent threats such as, for example, malware that targets cardholder data.
More importantly, PCI DSS does not recognise rebooting a server as an acceptable method of protecting data from threats or compromise. So strike one against Genesco's risk mitigation strategy – assuming of course that the reports are correct.
There is also something odd about the server-logging approach as reported. If accounts are to be believed, logs were overwritten after reboots, thus eliminating any information about the breach. PCI DSS compliance requires log retention.
Lastly, the log files themselves may have been source of the compromise. If so, that points to another point of non-compliance: cardholder data was stored in log files too by implication. That is a common mistake, and a very easy target for attackers, and strike three.
Time will tell as to what really happened. A fine of $13m (£8.6m) is a lot for a retailer to swallow under any circumstances, but if it turns out that the legal cost is some reasonable fraction of that, and the remediation costs have been significant, why not apply those funds to stop a similar breach happening again by using datacentric security?
That way your reputation, data, and business risks and PCI compliance costs are almost nothing.
Mark Bower is vice president of product management at Voltage Security