~ Ask Visa, Credit Card Information Security Program (CISP) Team
Visa, banks and state legislators are out of patience with companies that fail to comply with PCI regulations. All three are taking steps to impose substantial financial burdens on companies that experience data breaches.
While all banks and merchants are required to comply with PCI standards, Visa has initiated a program of fines of up to $10,000 a month against banks serving Level 1 and 2 merchants who have not verified their PCI compliance by September 30 and December 31, respectively. In 2006, Visa levied $4.6 million in fines, up from $3.4 million in 2005.
Any bank that Visa fines has the option to pass the fine on to the offending merchant and/or to cease to provide services to that account, depending on the bank/merchant agreement. Level 1 and 2 merchants include those with transaction volumes of 6MM transactions and up and 1MM to 6MM transactions, respectively.
In December 2006, Visa reports current PCI compliance among Level 1 merchants at 36% and at 15% among Level 2 merchants, with the majority of both levels actively working toward compliance. Banks whose Level 1 and 2 merchants validate compliance prior to August 31, 2007 will be eligible to receive a reduced one-time payment for each qualifying merchant.
Credit unions are working to raise the stakes against companies that experience data breaches. Not only are they working to turn certain Payment Card Industry Data Security Standards into federal law, they are also working with state legislatures to pass laws requiring companies to reimburse banking institutions for the costs of alerting customers and re-issuing credit cards.
In May, Minnesota became the first state to pass legislation championed by the credit union associations. The new law is far-reaching partly because of its all-encompassing language. According to Morrison and Foerster, a San Francisco law firm, the law means:
"So long as a person or entity conducts business in Minnesota that accepts an access device —a card containing magnetic stripe data or a processor chip —in connection with a transaction, that person or entity becomes automatically liable to any financial institution for the reasonable costs undertaken to protect the information of its cardholders.
Note, the bill doesn't say that the merchant needed to be headquartered in Minnesota, that the breach had to have happened in Minnesota, or that the financial institution had to be located in Minnesota." 1
~ The Ponemon Institute
Similar legislation has been introduced in at least five other states, including California, Connecticut, Illinois, Texas and Massachusetts —home of TJX Companies, Inc., where the largest data breach to date was revealed in January.
Data breaches cost money, and they are getting more expensive each year. The Ponemon Institutions, an independent research organization for the advancement of responsible information, privacy and security management practices in business and government, gathered data in 2006 from 31 companies about the costs of their security breaches. 2
Ponemon found the average cost of a data breach was $182 per record, up 30% since 2005. Of that $182, some $54 was attributable to direct, unbudgeted costs such as legal fees, notification letters, call center support and discounts to customers. Another $30 was attributable to lost employee time, that is, time taken from planned projects to deal with the breach. The final $94 was attributed to brand damage, loss of client business and increased costs of securing new customers. On average, 20% of the affected customers ceased doing business with the breached company.
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications.
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain information security policy
Requirement 12: Maintain a policy that addresses information security.
Ironically, a data breach costs the IT department relatively little, only 6% (or $11 of the $182 cost per record) for subsequent preventative measures. Some companies did not take preventative measures following a breach.
Of course, one of the most public accounting records of the cost of a security breach comes from The TJX Companies. Their Form 10-K filing for the latest quarter included a $12MM after-tax charge to "investigate and contain the intrusion, enhance computer security and systems, and communicate with customers, as well as technical, legal and other fees." Several security magazines report the breach has cost TJX closer to $25MM.
Those estimates, however, were made before the end of April 2007 when HarborOne Credit Union, Brockton, MA, sent The TJX Companies Inc. an invoice for $590,000 —one of the first instances in which a financial institution is seeking reimbursement of costs from a company. 3 HarborOne sent the invoice, rather than file suit against TJX, to give TJX an opportunity to do the "morally right thing" (and, no doubt, save substantial legal fees on both sides).
Other financial institutions are not being so kind. TJX now faces two major lawsuits:
a class action lawsuit from Merchant Law Group, Canadian law firm representing customers affected by the breach, and
a class action lawsuit from the Massachusetts Bankers Association to cover the yet-to-be-determined costs their banks have incurred.
In addition, the Arkansas Carpenters Pension Fund, a shareholder, is suing TJX for refusing to provide documents outlining the company's IT security measures and response to the data breach.
Last, but not least, TJX is likely to incur government fines for their failure to meet PCI Data Security Standards. In 2006, The U.S. Federal Trade Commission (FTC) fined ChoicePoint, Inc. $10 million for the data security breach that resulted in the compromise of nearly 160,000 consumer records in 2004. 4
~ Forrester Research,
January 2007
As a Level 1 merchant that accepts credit card payments, TJX was and is subject to the Payment Card Industry's Data Security Standards, which prescribe exacting steps for preventing database instruction and data theft. TJX's story provides several clear examples of what not to do.
According to the Wall Street Journal, investigators believe hackers pointed a telescope-shaped antenna toward a Marshall's store in St Paul, Minn and used a laptop computer to decode data streaming between hand-held price-checking devices, cash registers and the store's computers. 5 They then used keyloggers to get access to the company's central database at its headquarters, where they established their own accounts and the major theft began.
In September of 2006, auditors told TJX that it was not complying with many of the requirements imposed by Visa and MasterCard, citing outmoded WEP encryption and missing software patches and firewalls. TJX admitted to transmitting data to banks "without encryption" in an SEC filing.
Joel Dubin, CISSP and independent computer security consultant, reviewed TJX's recent 10-K filing and surmised the following violations of PCI recommendations in an article for SearchSecurity.com: 6
|
Recommendation 3 |
Storing transaction records and customer information after it had served its business purpose. |
|
Recommendation 4 |
Transmitting unencrypted data. Using WEP encryption rather than the recommended WPA or WPA2, for data at rest. |
|
Recommendation 10 |
Lacking secure audit trails that can not be altered. |
|
Recommendation 11 |
Lacking penetration testing. Lacking intrusion detection capabilities |
Security breaches have been big news for a number of years now, so why do they continue? The answer lies in the changing nature of business and the changing nature of data breaches.
From the business perspective, the huge explosion in the use of Web protocols means that firewalls are less effective in keeping out persons with criminal intent. Today, more applications encapsulate their protocols within Web protocols or ride email passed a network's firewall. And more companies share their data and network access with their business partners, consultants, contractors and outsourcers. It is call de-perimeterization, and it has been a developing trend for years.
From the data breach perspective, today's intruder is more likely to be an "insider," someone with access authorization whether that is an employee, a customer or a contractor. Thus, the line between an external attack and an internal attack is blurred.
A former employee using remote access is acting from a completely different set of motives and from a completely different base of knowledge than a hacker. He or she may know exactly where the most important or confidential data resides, and he or she may know colleague's passwords and enough security practices to cover his/her tracks.
Similarly, a zero-day scenario is more likely to be a planned event. A former employee will wait for the announcement of a software flaw and do damage before a patch can be applied. He or she may know your patch policies and the exact length of the window of opportunity.
Forrester Research estimates that 70% of all attacks are perpetrated by insiders. The majority compromise computer accounts, create unauthorized backdoor accounts or use shared accounts in their attacks. Most insider attacks are detected only when an irregularity in the information system is noticed or the system became unavailable.
Firewalls have long been the primary means of intrusion protection, but a moat of firewalls around the perimeter is no longer effective. Insider attacks and malware embedded in web protocols easily bypass firewalls.
The entire approach to data protection has to evolve. The network must be monitored continuously for suspicious activity, and data protection must be moved closer to the data, with especially sensitive data being identified and isolated or, at the least, given higher security alert status. Encryption is essential for data in motion. Data at rest is more problematic. Most applications and most humans cannot manage and use encrypted data. Sooner or later, it has to be readable, which makes knowing who is reading it critical. Security monitoring at the data-level fills that need.
Data monitoring can also help with one of the most frequent data theft problems: the lost laptop. The loss of a laptop seems to catch companies by surprise, which clearly indicates that policies and procedures are not in place for controlling the downloading of data and for tracking the distribution of sensitive information. A data monitoring application would enable an IT department to know when confidential data or a large amount of non-public data is being requested to ensure proper protections are in place on the PC.
Automated log monitoring and automated data monitoring are the obvious solutions for proactively detecting intruders and rogue accounts. These systems also identify suspicious or out-of-range data request from users, regardless of user authorization. Of necessity, these solutions must have automated IT alert capabilities, along with the ability to set high security alerts that notify a range of responders and provide explicit response instructions.
All companies that accept credit card must take steps to comply with PCI Data Security Standards, especially Level 1 and 2 merchants. Storing data unnecessarily, a lack of encryption, failure to monitor logs and failure to monitor access to data are the four PCI violations that security experts believe TJX committed. Each of these can be remedied with tools currently existing in the marketplace.
NitroSecurity, the leader in data access intelligence, offers several products addressing all twelve PCI Recommendations: NitroView ELM, for systems and devices, and NitroView DBM for databases, NitroGuard IPS for firewall and intrusion prevention, and NitroView ESM for topology, network, user, and application requirements. More than 600 companies world-wide use these products for:
NitroView DBM continuously monitors database activity to protect data at its source. NitroView DBM monitors user logins, logouts, and failed login attempts as well as unauthorized access attempts. It analyzes all access paths to a database-whether from applications, users, viruses, worms, trojan horses, utilities, "back-doors," queries, LAMP scripting, ODBC utilities, etc., � regardless of the password or privileges of the user.
When suspicious activity occurs, NitroView DBM sends real-time alerts to the console. Alerts contain the information needed to fully identify the perpetrator, the nature of the suspicious activity, and the merchant's instructions for handling the situation. Alerts can also be emailed or sent to cell phones or pagers. Such activities can include SQL injection attacks or copying the data to an external source, both activities indicative of intent to steal data.
NitroView DBM tracks changes made to passwords and access control schema and creates a full audit trail of changes. Audit Logs are certified, encrypted, compressed and copied to a separate server to prevent insiders from making changes and covering their tracks. Because attempts to change an audit log results in the de-certification of the log, the creation of a high-priority alert to the console and the creations of additional audit messages is necessary. Complete user sessions can be replayed to trace activity for forensic purposes and identify records compromised.
NitroView DBM provides reports to review passwords and expirations, to audit security practices over a specific period of time, and to correlate DBA changes with authorized change requests. Pre-defined reports provide proof of compliance with PCI, SOX, HIPAA, FISMA, and GLBA regulations for security monitoring.
NitroView ESM & NitroView DBM, together, provide easy correlation of database user activity and identity information from other application logs and Identity Awareness systems. This provides concise and accurate user tracking — even when using account pooling. The result is an actionable audit trail showing exactly who did what, regardless of the path used to access data.
Nothing frustrates online customers like slow response time. Because viruses and other types of malware often compromise system resources, NitroView DBM reports and alerts on slow response time and low disk space. These alerts are equally effective in helping system administrators balance workloads and foresee resource requirements. NitroView DBM itself has negligible impact on system performance.
Support High Availability for High Transaction Environments. By tracking response times and transaction fail rates, NitroView DBM can quickly determine whether a database is experiencing internal problems and can post alerts when pre-defined tolerances are reached.
Low Risk, Robust Reporting. Implementing NitroView ELM and NitroView DBM is low risk and it makes reporting simple. Because they are not co-hosted on the database platform and monitoring takes place on the network, LogCaster and NitroView DBM do not interact with or impact the database. Further, because LogCaster and NitroView DBM come with the majority of the security and configuration policies already predefined, and they consolidate their audit trails data into a central database, so the reporting needs of most organizations are met out of the box.
1 — "Merchant Liability for Security Breaches,"Legal Updates and News, Morrison & Foerster, San Francisco, June 2007.
2 — "2006 Annual Study: Cost of a Data Breach. Understanding Financial Impact, Customer Turnover and Preventative Solutions," The Ponemon Institute, 2006.
3 — "Information Security News: Mass. Credit Union Bills Tjx $590k for Breach-Related Costs," Jaikumar Vijayan, Computer World, June 7, 2007.
4 — "FTC Imposes $10m Fine Against ChoicePoint For Data Breach," by Jaikumar Vijayan, ComputerWorld, January 26, 2007.
5 — "Went Out Wireless Door. Biggest Known Theft Came from RetailerWith Old, Weak Security," by Joseph Pereira, Wall Street Journal, May 4, 2007; Page A1.
6 — "The TJX Data Security Breach: 10-K Filing Shows IAM and Compliance Mistakes" by Joel Dubin, SearchSecurity.com, May 2, 2007.
|
Log in
