Endpoint: There Is No Such Thing As Safe Software

To effectively secure payment card data, encryption must occur in tamper-resistant security modules, says Steve Elefant.

Software always leaves valuable payment card data in the clear somewhere during the life cycle of the transaction.

Steven M. Elefant is managing director at Soaring Ventures, Lafayette, Calif., and of counsel at The Strawhecker Group (TSG), Omaha,  Neb. Reach him  at steve@ soaringvc.com.

I went on record two years ago that we in the payments business should take a look at the then recently published Open Web Application Security Project (OWASP) “Top 10 for 2010” list of Web application security flaws. That’s all it took even then to realize that there truly is no such thing as safe software when it comes to the security of payment card data.

Real protection from software vulnerabilities and malware threats requires security controls embedded in hardware—e.g., physical and logical security.

I have been a proponent of strong encryption, and tokenization done in hardware, as the best methods for protecting payment card data. But you have to employ physical protections and tamper-resistant security modules (TRSMs) and hardware security modules (HSMs) to protect the plain-text data and cryptographic keys. Simply put, you must encrypt in software and hardware. Software encryption is better than nothing, but generally not good enough.

‘Better Than Nothing’

TRSMs were introduced with encrypting PIN pads more than 25 years ago to encrypt debit card PIN numbers for secure processing and transmission, and this proven technology continues to develop as an important layer of protection against physical attacks that breach plain-text data and cryptographic keys. TRSMs serve as a highly effective tool to diminish exposure and protect the data where and when they’re entered—at the point of swipe.

New technologies like tablets and mobile devices, as well as EMV chip cards and near-field communication (NFC) technology, will help secure the retail world against fraudulent cards. But these technologies will most likely push more fraud to e-commerce. E-commerce is supposed to grow to nearly $1 trillion by 2015, according to the consultants at KPMG, so new security solutions will need to be created.

Different methods for securing payments at the point of sale are being talked about in the industry right now. There are companies claiming that encryption in software only is enough protection for our sensitive data, that software-based encryption is “safe,” and that this level of encryption is “better than nothing.”

It is true that software encryption is better than no encryption. However, software always leaves valuable payment card data in the clear somewhere during the life cycle of the transaction. For example, how are you protecting the data from interception before they’re encrypted? How are you protecting the encryption keys from being accessed by unauthorized persons?

That brings us to a comparison of encryption and tokenization. Tokenization creates a substitute for the real data. I believe in tokenization as a complement to encryption in the payments-processing life cycle, but not as a single solution.

Tokenization takes place in a tokenization engine, which is typically located in the computer system of a gateway service provider or the payments processor. How does the card number get to the tokenization engine? If there is no encrypting TRSM at the point of sale to protect the payment card data, the data are transmitted in the clear and so are susceptible to central-processing unit sniffers, memory sniffers, and other types of malware.

Compliance Is Not Security

The takeaway for IT security professionals—and anyone in the business of payments—is this: Don’t just assume software is enough. A layered approach to security, using multiple defenses, is required. To send valuable credit card data and consumer information in the clear at any point of the transaction life cycle is an unacceptable risk. You might be protecting a portion of the transaction, but you are still leaving holes and weak links at some point for the bad guys to exploit.

Today, unfortunately, we are dealing with very sophisticated adversaries from around the world. These are not the 14-year-old kids portrayed by Matthew Broderick years ago in the movie “War Games.” These are the 21st-Century bank robbers. They are organized criminal gangs, literally patterned after the Mafia, that are powered by Ph.D.-holding bad guys who have nothing to do but go after our money and our critical infrastructure.

Consider evaluating POS hardware that has encryption and TRSMs inside—certified by the PCI Security Standards Council—that will provide physical protection and can be purchased at a comparable price to non-encrypting POS devices. If anyone attempts to compromise the TRSM inside the POS terminal, the encryption keys are deleted immediately, making the terminal inoperable. PCI has people thinking a lot more about security, but we must realize that compliance does not equal security.

As we work to safeguard the payments ecosystem and protect cardholder data, we must consider new approaches to improve the current system. Above all, we must take the necessary steps to stop transmitting card data in the clear. Unless you protect the valuable and sensitive card data in both software and hardware, you are leaving them vulnerable to ongoing attacks.

Besides hardware security, there are a few other steps that would be helpful. I don’t believe that security can be mandated by government (much as I don’t believe Durbin has “fixed” the payments business). However, a strong public-private partnership between the intelligence/law-enforcement community and organizations like the Payment Processors Information Sharing Council (PPISC)/Financial Services Industry Strategic Analysis Center (FS-ISAC) and the Security Innovation Network (SINET), can be a very effective tool to promote information sharing among the good guys. This is often very hard because critical information is walled off in silos, whereas the bad guys are very good at sharing information. In addition, a national breach law, rather than standards being issued by every state, would be much more positive and helpful for the industry.