Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Sep 24, 2010

Heartland CEO on their breach

Bob Carr, CEO of Heartland Payment Systems, spoke openly about their massive 2007/2008 security breach at the SC World Conference in 2009.  Whether you work in the financial industry or in information security, it's well worth setting aside 45 mins or so to watch him present and think carefully about the underlying risk, security and commercial issues.

Essentially, Bob's point is that the payment card industry is clinging to a fundamentally flawed security model.  Card numbers taken from magstripes, or presumably from chip-n-PIN cards, are passed through the point of sale systems, the merchant back-office systems, and card processors such as Heartland, all the way to the card issuers.  For a good part of this journey, the card numbers are unencrypted and hence are vulnerable to being captured by the bad guys.  PCI DSS attempts to lock down all these intermediate points, but so long as the underlying data are in the clear, there is always going to be a risk of unauthorized or inappropriate disclosure.

He contrasts this with ATM PIN codes which are encrypted as they are entered, decrypted and re-encrypted with the issuer's PIN in a physically secure security module, and so pass through the downstrream systems and networks encrypted.  Leaving aside various security concerns such as card skimmers, compromised PIN pads and compromised security modules, this approach does at least take the burden off the ATM companies and retail banks: they don't have clear access to the PINs.  The encrypted PIN data stream is just another chunk of data to be moved around.  No worries.

Towards the end, Bob also makes some deeply worrying comments about the PCI DSS QSA (Qualified Security Assessor) audit process.  The QSAs are basically checking PCI DSS compliance, a checklist of 280 items according to Bob, for a fixed price.  If they suspect security issues beyond the narrow scope of PCI DSS, it's not in their interests to explore further as a typical internal or external IT audit might do: not only do the QSAs want to retain their customers (which means, of course, giving them a clean bill of health, i.e. "You are fully compliant" ), they also need to move on to the next fixed-price job ASAP.

There's a lot more security issues swimming around just under the surface layer of this presentation but I won't spoil it for you.  Put your feet up, click the link and think on.