Security
An End to the Great Data-Storage Debate
Peter Lucas
Weaning merchants from their ingrained practice of storing payment card data won’t be easy, but security experts conclude it must be done. Meanwhile, encryption technology, though growing in popularity, is not invulnerable.
Having survived database breaches at high-profile retailers and merchant acquirers, the payment card industry has concluded that a smaller security perimeter will be easier to defend against computer hackers. As a result, the industry is stepping up efforts to convince merchants they no longer need to store credit and debit card data unless there is an overwhelming business case to do so.
While that message is not new—the debate over whether merchants should store card information rages after every data breach—the intensity at which it is now being put forward suggests the card industry’s position on the issue is more than a subtle shift in thinking.
Last July, Visa Inc. and the National Retail Federation announced that merchants should not be obliged by their acquiring banks to store account data for the purpose of satisfying card-number retrieval requests. Visa and the NRF went on to say merchants may keep truncated or disguised card numbers to reduce the amount of potentially vulnerable data stored in their systems.
In October, the PCI Security Standards Council released the guidelines for version 2.0 of the Council’s Payment Card Industry data-security standard (PCI). The new standard includes an exercise in which merchants are advised to identify where card data may be stored in their computer network and make sure that all storage points are secure. Previously, PCI strongly discouraged unnecessary data storage, but the new best practice puts even greater emphasis on merchants knowing where card data are within their computer network and removing that information from departments that don’t need it.
As part their sermons about the perils of storing account data, acquiring banks and the card networks are stressing to merchants that each time they decrypt stored card data to share with other departments, such as marketing, they are at risk of a data breach.
Once decrypted data are exposed within the merchant’s network they not only become vulnerable to hackers that have a back door into the network, but they can flow anywhere within the network without proper supervision.
In many cases, the unexpected places data flows lack the proper firewalls to keep out hackers. Security experts tell stories of audits that turned up card information in such unlikely places as, in one example, the computer files of a company’s human-resources department.
Ingrained Habit
The risk of a breach occurs when hackers gain unauthorized entry into a merchant’s network and run a so-called sniffer program to locate and copy unencrypted card data.
“Companies come to us and say they have found card data in the most unexpected places within their network, and many say they never realized it was even floating around in the system,” says Bob Russo, general manager of the Wakefield, Mass.-based PCI Council. “The risk involved with data storage at the merchant level is clear now and so is the message to merchants: don’t store card data if you don’t need to.”
The PCI Council, card networks, and others hope that merchants will now realize that by no longer storing card data they can shift the risk for storage to their acquiring bank and avoid the subsequent fines and bad press that accompany a data breach. Finally, the card industry believes merchants will realize they can significantly reduce expenses by eliminating storage of card data.
“Storing card data with the acquirer reduces the merchant’s PCI-compliance costs and the related [information-technology] costs,” says Branden Williams, director of the security consulting practice at Hopkinton, Mass.-based EMC Corp.’s RSA division. “Preventing data breaches at the merchant level is more about business practices than encryption technology.”
Despite the card industry’s push to persuade merchants to no longer store card data, many payments experts concede that it will be a tough habit for many merchants to kick because the practice is deeply ingrained in their business culture.
Ironically, many of the reasons merchants espouse for storing card data—such as settling disputes and formal chargebacks, billing recurring payments, and crediting a consumer’s card after a return—are misconceptions. So too is the argument that card-account numbers must be kept as a way to identify and track spending habits of consumers not enrolled in a loyalty card program.
In actuality, those actions can be handled with a data token that is sent to the acquirer. Data tokens are the same length as the primary card account (PAN) number being encrypted, which is 16 digits for Visa, MasterCard, and Discover cards, and 15 digits for American Express cards. Only the last four digits of the actual PAN are included in the token. The remaining code that makes up the token is alphanumeric characters that allow the processor or acquirer to identify the card being used, but are not actual account numbers.
When a data token is sent to the acquirer, which typically generates the token for the merchant, the acquirer uses its electronic key to identify the proper account to initiate a recurring payment, a credit, or provide the merchant with the information needed to resolve a transaction dispute or link a transaction to a specific card. Throughout the entire process, cardholder data remain encrypted and stored in a secure repository.
“Merchants don’t need actual card data to initiate and complete these actions,” says Walter Conway, a PCI qualified security assessor (QSA) for Brookfield, Wis.-based security consulting firm 403 Labs LLC. “The reason merchants feel they need to keep card data for these types of actions is because they have always done so.”
If merchants genuinely feel the need to store card data, the card industry is urging they tokenize the data.
“Tokenization is where the payments industry is moving in regard to data storage,” says Rob McMillon, director of solution development for RSA. “If the database where tokens are stored is attacked, tokenized data is of no use to the hacker because the codes used to create the tokens are random.”
No Tampering
Even though acquirers and the card networks are preaching tokenization to merchants as the preferred method for storing card data, their message extends further to include front-end encryption.
Point-to-point encryption (a term the PCI Council prefers over the more popular but less precise “end-to-end” descriptor), is a process that encrypts card data at the point of sale before they are transmitted to the card processor for authorization. It is being pushed hard as part of merchants’ overall data-security plans.
Point-to-point encryption is done in one of two ways. The POS terminal is programmed to encrypt the PAN as the card passes through the magnetic-stripe reader. Merchants typically do not have the key to decrypt the data. This creates another layer of internal security for the merchant by preventing employees from providing the key to criminals attempting to intercept the data as they travel across a merchant’s POS network.
Also, merchants using an electronic cash register can install software on their POS network that automatically encrypts card data as they are entered into the cash register or a card passes through a mag-stripe reader attached as a peripheral device.
One advantage of installing POS terminals with built-in point-to-point encryption is they are programmed to shut down if tampered with. “It’s a measure that prevents criminals from attempting to get at the encryption key by compromising the terminal,” says Paul Rasori, senior vice president of global marketing for terminal maker VeriFone Systems Inc.
San Jose, Calif.-based VeriFone, which is placing greater emphasis on recurring revenues from its VeriShield Protect data-security suite, PAYware Mobile products, and other offerings, said in its fiscal 2010 fourth-quarter earnings report that service revenues grew 50%, to $47.7 million, over the same period a year earlier.
‘A Dormant Tumor’
Despite the card industry’s efforts to build a stronger, more compact defensive perimeter around stored card data with fewer entry points for hackers to attack, vulnerabilities still exist.
Malware, malicious software designed to access a computer system undetected, poses a significant challenge. Malware that attaches itself to non-encrypted data and then goes through the encryption process is virtually non-detectable, because the identification patterns in malware are scrambled by the encryption.
The threat from malware exists on two fronts. First, older POS terminals that do not have point-to-point encryption capabilities and rely on a software program to encrypt data after the card has passed through the reader are prime targets. Criminals can tamper with the terminals so that malware is attached to card information as the card is swiped and before data are encrypted.
Payments experts concede that a large base of older terminals that can be tampered with still exists. “A lot of terminals are not PCI-compliant yet,” says VeriFone’s Rasori. “Visa has issued a sunset date of 2014 to have these terminals compliant or retire them, but it’s a few years away.”
A more menacing threat is the potential for hackers to find back doors into an acquirer’s computer network. Criminals can pay an insider to leave open an entry point to the network so they can inject malware. Hackers are betting that some of that code will find its way into the storage server for card data after it is encrypted.
“Some suspicious [malware] code has been found even on long-term data storage,” says Gideon Samid, chief executive of AGS Encryptions Ltd., a data-security consulting firm, and security columnist for Digital Transactions. “I am not sure how the hackers plan to use it and when, but any such contamination should be purged as soon as it is discovered. Once encrypted malware gets in a data storage server it can sit like a dormant tumor waiting to grow.”
Acquirers make juicy targets because they hold far more account data than merchants.
To negate the malware threat, Samid recommends a double-encryption process. Double-encrypting data, even after they have undergone point-to-point encryption, adds another layer of security to data that may have been infected with malware before initial encryption. Using a less popular encryption cipher for the double-encryption process can make it tougher for criminals to find the key to the second cipher.
“Criminals focus on cracking the popular data ciphers, so using a less popular cipher for the double-encryption process can stymie their efforts,” says Samid.
Closing Loopholes
Some security executives also have raised concerns that encrypting smaller data packets of card information poses a risk that criminals could find patterns within the encryption key. The theory is that smaller data packets, such as card expiration dates, have fewer possible coding combinations. Once the keys to those codes are deduced, criminals could use them as a blueprint to crack the cipher keys for larger data packets.
“There is a potential risk to encrypting smaller data packets, but that can be avoided by bundling all the relevant card data into a larger data block that requires a longer key to unlock the cipher code and using point-to-point encryption,” says Steve Elefant, chief information officer for Princeton, N.J.-based merchant acquirer Heartland Payment Systems Inc.
After reporting in January 2009 what turned out to be the largest data breach in card-industry history—130 million cards compromised—Heartland stepped up its end-to-end encryption initiative, dubbed E3.
E3 terminals are tamper-resistant hardware and use AES (Advanced Encryption Standard) encryption to safeguard all data on Track 1 and 2 of a card’s magnetic stripe or keyed manually into the terminal. The terminal automatically changes encryption keys on a regular basis.
“End-to-end encryption is part of a comprehensive data-security strategy that includes tokenization and eventually EMV cards,” says Elefant, referring to the so-called EMV chip-and-PIN cards that are supplanting mag-stripe cards in most industrialized countries except the U.S. “Effective data security is about closing every potential loophole in the system.”
‘Professional Criminals’
One loophole that needs to be closed is e-commerce. Malware frequently finds its way onto consumers’ computers while they visit non-retail Web sites. That makes it possible for hackers to pick off PANs and other card data when a consumer using an infected machine makes an online purchase.
“As PCI compliance and other data-security efforts make it harder for hackers to get card information from merchants and acquirers, hackers will look for the least path of resistance and that is consumer computers,” says Daniel McCann, president of Regina, Saskatchewan-based NetSecure Technologies Ltd. “A lot of hackers are already concluding it is easier to steal 10,000 individual card numbers from consumers than steal them all at once by hacking a database.”
NetSecure’s SmartSwipe device provides end-to-end encryption of consumer online purchase transactions. The device, which retails for $89, plugs into the USB port of a personal computer or laptop. Consumers install the supporting software. NetSecure is striking deals with banks, such as Edmond, Okla.-based Kirkpatrick Bank, to market the device to their customers.
Just as military strategists know even the most formidable defensive perimeters can be breached by a tenacious enemy, the card industry knows that the defenses put in place today may soon be obsolete as cyber criminals step up their efforts to hack card data.
“Today’s hackers are not amateurs; they are professional criminals that are well organized and funded and many of them have advanced degrees in computer technology,” says Heartland’s Elefant. “The risk is in the weak spots around data-protection practices and encryption. The further the card industry pushes best practices and encryption, the less risk there is of a data breach.”
Data Encryption Best Practices
Limit clear-text availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
Use robust key management solutions consistent with international and/or regional standards.
Use key lengths and cryptographic algorithms consistent with international and/or regional standards.
Protect devices used to perform cryptographic operations against physical/logical compromises.
Use an alternate account or transaction identifier for business processes that require the primary account number (PAN) to be used after authorization, such as processing of recurring payments, customer loyalty programs, or fraud management.
Source: Visa Inc.
Card Tokenization Best Practices
On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number (####-####-####-1234) and suppress the full expiration date (currently required in the U.S.).
On their copy of the receipt, merchants should disguise or suppress the card number so that a maximum of the first six and last four digits of the number are displayed (1234-56##-####-1234), and also suppress the full expiration date.
Acquirers should support merchants that choose not to store full card numbers by providing transaction-data storage. Merchants may then retain only disguised or suppressed card numbers on their copies of receipts.
Acquirers should evolve their systems to provide merchants with substitute transaction identifiers or tokens, in place of using full card numbers.
Acquirers should disguise or suppress card numbers in any merchant communications, such as e-mail, reports, statements, etc. The PCI rules already require that card numbers transmitted over public networks must be rendered unreadable (e.g. by encryption, truncation or hashing).
Source: Visa Inc.