Payment security is back in the public eye with the recent disclosure of a cardholder data breach at a leading US payment processor. While initial reaction to this latest incident has been unfortunately predictable, characterized by plenty of uninformed speculation, outrage, and a general lack of understanding of the workings of the payments industry, the story that is ultimately written about this latest incident might be one that is completely unexpected.
In our last post, we made some pretty safe predictions about how the payment security landscape will evolve this year. Now let’s make a few more daring predictions about what might happen in the coming months:
Our team thought it would be interesting to make a few predictions for the upcoming year related to payment security. Some (unfortunately) don’t require a crystal ball, but for many others, the decrypted answer from our secure Magic 8 Ball is probably “outlook not so clear”. I’ll offer five we feel pretty confident about this week, and another five in our next post.
In the past several weeks, I have read two recent data breach accounts that suggest that many retailers may need their own visits from the ghosts of the past to realize that they need to change their ways.
In my last post, I talked about the unique challenges of trying to provide point-to-point encryption for the petroleum merchant. In a nutshell, the petroleum merchant wants to stop skimming attacks where the bad guy puts a skimming device in the chassis of the fuel dispenser*. This is easily solved by encrypting the card data at the mag-head/card reader, but doing so breaks the ability for the merchant to process the special instruction in fleet cards.
If you think about it, I’m sure it would come as no surprise that an average gas station/convenience store conducts more credit card transactions per day then practically any other type of merchant – usually on the order of two or three times as many transactions. And with that many transactions, petrol merchants are prime targets for credit card theft.
Taking the small number of very large compromises out of the equation shows that small businesses are more at risk than ever.
Auditors prefer encryption over tokenization for protecting internal data at rest. To me, those findings are completely unsurprising, for the exact same reasons that I choose the same menu items over and over: we prefer the things with which we are most familiar.
Let’s use the RSA Conference as a starting point for changing our thinking in 2011