Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

How PCI failed Target and U.S. Consumers

by Avivah Litan  |  January 20, 2014  |  17 Comments

The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history. Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment card networks and their acquiring banks but it didn’t stop their breaches.

The payment card industry failed to face up to major security problems when there was still time to do something back in 2005 after the first major card breach at Card Systems International, when 40 million cards were compromised. At that time, the card issuing banks and the card networks (Visa, Mastercard) came up with the PCI security standard as their answer for stronger card security, when Congress took them to the mat during congressional hearings.

Visa, MasterCard and the banks they represent thought that with PCI they could enforce adequate security at retailers and payment processors, while letting them bear major security burdens and costs. This was much easier and less costly for the U.S. banks, who are the last major holdouts in the world to upgrade to much more secure EMV Chip cards. None of them wanted to pay for those costly chip upgrades unitl now, when it’s almost too late.

If anyone was looking at the situation clearly back in 2005, they would have been able to forecast the trajectory we are now on – which is more and more devastating card breaches (ala TJX, Heartland Payment Systems) executed by more organized crime rings who know how to cash out the cards very quickly. A happy ending to this trajectory is far from sight. Indeed, why should the criminals stop when arrests are so far and few between, and when they typically enjoy immunity in their Eastern European countries of residence?

Clearly, PCI compliance is not working very well – despite billions of dollars spent by merchants and card processors in efforts to achieve it. For example, the standard hasn’t kept up with the latest attack vectors and retailers can’t be expected to know more than the security vendors do about detecting new forms of malware that evades conventional measures prescribed by PCI.

My understanding of the malware used in the latest round of breaches against Target and other retailers (allegedly there are many more that have not been announced) is that it attached itself in memory to the POS software (as opposed to being a memory scraping program as reported by others) and just captured the data as it went through the POS application. Like a worm, it had propogated itself to all the POS terminals throughout Target before attaching to the POS application. It aggregated the stolen data on a central Target server, and then double encrypted the data on the way out of the company so that the retailer IDS systems couldn’t detect it.

None of the conventional anti-malware applications on the market today look for this sort of program. And one question still not answered is how did it get inside the retailer network in the first place? Some security folks I spoke with said it got past POS whitelisting techniques used at retailers they work with – meaning perhaps somehow the supply chain was corrupted and the malware was attached to a routine POS software update.

Nothing I know of in the PCI standard could have caught this stuff. So I think it’s flat out wrong to blame this all on Target or on any of the other breached entities. The card issuing banks and the card networks (Visa. MasterCard, Amex, Discover) share responsibility for not doing more to prevent the debacles that have predictably occurred over the past nine years, when the big breaches first began.

At the least, they should have upgraded the payment systems infrastructure to support end (retailer) to end (issuer) encryption for card data much like PINs are managed today. They should have also started migrating to stronger cardholder authentication (ala EMV Chip cards) so that the magnetic stripe on the back of our cards can finally be eliminated.

While not perfect, these standardized measures would have gone a long way to preventing card data breaches. Instead the industry just keeps expecting retailers to patch a faulty and antiquated payment system via PCI compliance.

Of course, Visa, MasterCard and the qualified security assessors who perform the PCI audits have all covered themselves legally. That’s one area where they’ve been proactive. The assessor contracts that retailers and processors sign state that the assessor has no liability in the case of a breach. Further, when PCI first came out, Visa and MasterCard used to give merchants “safe harbor” from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach. When I asked Visa to explain, they told me “well the merchant must not have really been PCI compliant if they got breached. And perhaps they didn’t give their assessor all the information they needed to properly audit their systems.”

The banks and the card networks incorrectly assumed they could keep relying on the retailers and payment processors to lock down the payment system. That was shortsighted thinking that has unfortunately caught up with them as customer service costs mount and consumer confidence is shaken.

As for the merchants – they are still basically toast and not in an enviable position.

17 Comments »

Category: Uncategorized     Tags:

17 responses so far ↓

  • 1 How PCI failed Target and U.S. Consumers | All that Cuteness   January 20, 2014 at 1:02 pm

    [...] By Avivah Litan [...]

  • 2 Early lessons from the Target breach Retrocell | Used Cell Phone | Bell Telus Rogers | Blog   January 21, 2014 at 6:45 am

    [...] To read the Gartner blog click here. [...]

  • 3 AJ Clark   January 21, 2014 at 2:41 pm

    Do you have confirmation that Target was PCI certified? Early reports said they weren’t. Part of the trouble with a PCI Report on Compliance is that it’s a point in time assessment but valid for 12 months. If they infact were PCI Certified and after forensic examination it was determined they were PCI Compliant still they would have “Safe Harbour” and be resonsible for any of the expense of breach from the card processor. I doubt most organisations would hold up to following every rule on every system as interpreted by a different party from your original assessor. It seems no 2 QSA’s have the same opinon on many subjects.

    “None of the conventional anti-malware applications on the market today look for this sort of program.”

    Well technically they do – there are many reports that this was BlackPOS malware or some newer variant. You’re statement nothing looks for it is true up until the point it’s found then a signature gets written and the next retailer might be safe. Symantec added a signature to catch BlackPOS a day after the Target breach was announced. Another variant remains undetectable still so the bad guys still have a chance to exploit it while the collective “we” play catch-up. The signature based anti-malware approach means you’re “safe” as long as you’re not hit first.

    Your call for end-end encryption seems to be one the banks don’t want to hear. That moves the liabilty to them. why not leave it with the merchant. I would extend your premise from retailer-issuer encryption to issuer-provided-PIN-pad to issuer encryption. Don’t let merchants see the clear text card number ever. It’s not a “convenient customer number”. Don’t stop calling for end-end encryption or the banks will just smile and collect their fees and chargebacks.

  • 4 KJ   January 22, 2014 at 11:42 am

    “it attached itself in memory to the POS software (as opposed to being a memory scraping program as reported by others) and just captured the data as it went through the POS application.”

    It is the same words, as all information which goes through POS software will be in the RAM of the computer if it is standalone PC.

    Can agree with all words you said, thank you!

  • 5 Jeff Hall   January 22, 2014 at 2:24 pm

    Information security is not and never is perfect. When implemented properly, information security minimizes risks and facilitates the management of any residual risks, not entirely remove risks. That said, end-to-end encryption is not a panacea either as the attackers will just move their attacks to the endpoints. The only true solution to our present situation is to get rid of the data at the endpoint so that the attackers do not have anything useful to obtain. One such solution would be a single use transaction code.

  • 6 Retailer Breaches: A PCI Failure? | SMLR Group, Inc.SMLR Group, Inc.   January 23, 2014 at 11:27 am

    [...] Gartner’s Litan ignited the latest PCI discussion with a Jan. 20 blog. [...]

  • 7 Mark Horwedel   January 23, 2014 at 1:32 pm

    Avivah,

    You are spot on. Most merchants recognize PCI is not focused on containing fraud but instead on shifting the cost of fraud to merchants. Our research indicates merchants spend much more on PCI compliance than all sides experience in actual fraud losses.
    If PCI was really about fighting faud, they would have advocated PINs on all card purchases years ago, end-to-end encryption and tokenization. They also would have been out-front in advocating chip & PIN. Truth is they don’t do anything that translates into increased costs to issuers, a predictable result when merchants are not included on the PCI Board and have no voting participation!

  • 8 Ian   January 23, 2014 at 4:05 pm

    I wonder if Litan actually understands what PCI is and what the requirements are. First of all, a clan RoC is *not* a get-out-of-jail-free card for when a breach occurs. When one happens, one of the things that is going to be looked at by the brands is whether the breached entity was compliant *at the time* of the breach.

    Let’s look at the facts as we know them: malware running on the POS systems, and the data was exfiltrated. Given that not all malware can be detected by conventional antivirus, we can still fall back on things like file integrity monitoring (FIM) to alert us that a change has been made on the victim machine. Second, a properly implemented CDE should have segmented off the systems that have access to cardholder data from being able to access the corporate network, much less the Internet. Clearly, this is a lack of proper segmentation and filtering. While I’ll be the first to declare that segmentation is not a requirement for PCI compliance, it’s certainly in the entity’s best interests to do so for scope reduction. Egress filtering on the other hand, falls squarely in Requirement 1.

    If anyone bothered to look at DSSv3, it addresses memory-scraping maware (Requirement 6.5)

    As poorly written as the Standard is in places, a properly designed and implemented CDE allows for one control to fail, yet still remain secure. The failure of the DSS is that it causes vendors to focus on compliance rather than security. Compliance does not mean secure, but secure guarantees compliance.

    Shame on anyone who thinks this is anyone but Target’s fault.

  • 9 Erla Osk Asgeirsdottir   January 24, 2014 at 12:17 pm

    Avivah Litan.

    It sounds like you haven’t heard of PCI-P2PE (point-to-point encryption). A new PCI standard.

    I have been following news on the Target Breach and I find this case extremely interesting. One of the reasons is because I’m involved in the payments business and I have been attending payment related events in the U.S for two years now and I have had many discussions on EMV e.g http://www.mobilepaymentstoday.com/article/221901/EMV-migration-creating-business-opportunities

    I think we are going to see a complete change of the payment system infrastructure in the U.S. The Target Case is too expensive and customers are very unsatisfied. EMV will be implemented (and the basic implementation of terminal has started but there are still many missing links in order to continue with the implementation) and enterprise merchants will act on this as nobody wants to be the next TARGET. This breach will cost many in the payment chain a whole lot of money and that will push EMV. When it touches the wallet things start moving.

    Have you heard of PCI-P2PE (Point to Point Encryption)
    If Target would have had a PCI-P2PE certified payment application this would never have happened – so what I’m saying is that the technology is available but the companies have been betting on that the they could leapfrog EMV and go directly to NFC or some other payment infrastructure that is less expensive. Security is expensive and the change from magstripe to EMV certainly is but how much does the fraud cost?

    Here is a short information on what PCI-P2PE is
    P2PE means that no payment card data is stored in retailer’s own systems ensuring that security-levels are maintained and any risk of fraud or data-loss is minimised. The PCI-certified P2PE application sits on the EMV I+II and PCI-PTS v.3x (SRED) accredited Handpoint card reader, and not on a smartphone or tablet. The system immediately encrypts card data on the card reader and transmits it via Handpoint’s PCI-compliant Gateway. This architecture takes the smartphone or tablet payment application out of scope for further certifications.

    This is an important step towards a change in the way enterprise retailers comply with PCI standards. Enterprises will soon be able complete a simple self-assessment form – in the same way as small and micro merchants – rather than undergo regular security certification audits. This new approach to compliance represents a significant saving for enterprises; eliminating the need for costly PCI accreditation and annual auditing.

    Ok maybe not so short.
    If you want more information don’t hesitate to contact me.

    Cheers, Erla Osk

  • 10 A HART   January 24, 2014 at 10:02 pm

    Shame on you for blaming Target or any other retailer. The data on the card is in the clear. It’s embossed, it’s printed and placed on the machine readable magnetic stripe. It’s not encrypted on the card. It’s not obfuscated on the card. In short it is exposed by the card issuer and is left totally unprotected. Yet when used in the merchant environment, the retailers are expected to go to extraordinary lengths to protect the data. Why is the standard of care so much higher for the merchant? If the brands and the issuers cared about security and protecting consumers or merchants, they would take steps to AUTHENTICATE the cards they issue. And yes, the brands and the issuers know that magnetic stripe validation is possible, but why bother when you can so easily blame and shame the poor schnook that pays to accept your cards.

  • 11 PCI Needs an Overhaul   January 24, 2014 at 10:51 pm

    The jury is still out on Target, but TJ Maxx was not compliant at the time of their breach.

    According to Visa Chief Enterprise Risk Officer, Ellen Richey, “…no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.” (2009)

    Also, 41 state attorney generals went after TJX and all indications were that they were out of compliance with 9 of the 12 PCI requirements. A RoC is a snapshot in time. It does not attest to continued compliance.

    The Target compromise may have been completely preventable. We don’t have the full details of the investigation, but we know from the news that 1) there was a breach of the POS systems; 2) memory was scraped to collect card data; 3) the attackers were able to establish an outbound connection to offload data.

    Encryption at the card swipe terminal, secure hardening configuration for the POS, deny all, exception only ACLs on network devices, code practices, and all the audit and detective controls required by PCI DSS. These would be the first suspects in this investigation.

    PCI DSS is a minimum standard. If strictly adhered to, it prevents most attacks. The failure of PCI is the implementation—the card brands, banks, merchants, and auditing firms all share this burden and have competing interests. They are all to blame. The entire payment card process needs to be revamped.

  • 12 Gray Taylor   January 25, 2014 at 10:46 am

    PCI failed because it is an utterly futile (and expensive) attempt at creating clean computing environments instead of recognizing that no open, connected computing environment can ever be clean.

    Until the payments ecosystem comprehends that it is ensuring the transaction is unassailable, not the network, breaches will continue. EMV offers some respite, but will take years to implement and, as Todd Zywicki points out in the WaPo, as there is no ROI in it.

    Our society is in desperate need of new thinking and approaches to data security of all kinds (card loss is a rounding error, in reality). It has, and will continue to be, an expensive mistake to believe that card brands – the only player in the system who does not fund fraud – should have exclusive purview over this topic.

    TIme for the banks and merchants to figure it out – to protect their customers and our financial system.

  • 13 DW   January 25, 2014 at 12:36 pm

    Agreed that security needs to shift to data-centric and that the time has come to initiate a change. These breaches will continue to happen as there is no silver bullet to security. In the current system the choices are to implement controls to minimize the loss volume of data and to render the data useless outside the processing environment.

    It’s time for one-time cards. A few banks already offer this for online transactions and it’s time to develop its card-present counterpart. Current systems can be modified to utilize a tokenization scheme in the meantime, so that merchants never possess the card data.

    Maybe it will take the insurance companies to effect this change in PCI. With the rising frequency of huge breaches, it won’t be long before they tire of the payouts.

  • 14 Ian   January 25, 2014 at 2:27 pm

    Proper network segmentation is not an “extraordinary length”. Funny how all the DSS requirements fall into basic IT security best practices.

    Target failed. Miserably.

    It doesn’t matter that the cards are in the clear: Target and their IT security staff KNEW what needed to be done. If they were concerned about data whizzing around the ethers in the clear, then why didn’t they properly segment their network, or move to a P2PE and Tokenization solution? Even if the POS were completely compromised from boot to shutdown, that data should never have been able to leave the CDE.

    Security has no silver bullet. That is the result of failed thinking. Security is a process, not a solution that can be bought, bolted into the network and someone declares “hey you’re secure”. Anyone who tells you different is selling you something.

  • 15 A HART   January 25, 2014 at 7:17 pm

    Target did not fail miserably. It is as much a victim as the consumers who had their card data stolen.
    Here, for example, is a clever new way to harvest cardholder data. It’s the “Clean Your Card here – it’s FREE” scam. A group of fraudsters set up mini kiosk stations outside the largest retail stores in highly travelled shopping malls. The “FREE” service proved highly popular. The thieves were able to obtain tens of thousands of magstripe images that could be transferred onto alternate plastic and used to make fraudulent purchases. They mounted a simple swipe reader, purchased for $15.99 online, onto the “cleaning” station and were instantly in business. As the scam unfolded, the large retailers appeared to be the likely culprits for exposing the cardholder data, but the merchants in question here had very strong PCI-DSS compliant systems. Nevertheless, they faced the difficult job of proving their innocence, defending their reputations, and refuting the ignominious label “common point of compromise.” This was all due to thieves who had set up shop in their parking lots. The lesson illustrates the naïveté of those who righteously proclaim that cardholder data can be easily protected.
    So who exposed the cardholder data? The card issuers did. They emboss it, print it, and place it on the machine readable magstripe. They do not encrypt it. They do not obfuscate it. In short, they do not protect it. So you might ask why the merchant has a higher “standard of care” than the brands and their card issuers. This is an interesting legal and ethical question. If the card data is available to an ordinary crook in the parking lot, how can the brands and their issuers require the merchants who accept the cards to be the only responsible party? The merchants have no say over card security features, but they have an inequitable burden to protect the card itself. This disproportionate liability cannot stand.
    Some have suggested that EMV is the answer to data breaches. This is not accurate. EMV as implemented exposes the cardholder PAN, Name and other sensitive data. The data is as visible as it is on the magnetic stripe. The industry needs holistic transaction security. Encryption is not adequate. Tokenization is insufficient. Both the chip and the stripe data need dynamic authentication. When you can authenticate the card in real time at POS and determine that it has not been created with stolen data, the fraudsters will have no incentive to steal the data. If you combine a consumer selected PIN with a validated genuine card, you can achieve pretty darn good, very holistic security. The same cannot be said for PCI endorsed encryption, tokenization and CDE fencing schemes.

  • 16 Us   January 27, 2014 at 8:33 am

    How about saraly. Becoase I need

  • 17 Sid   January 29, 2014 at 3:59 am

    Is these are all the first step to move payment industry towards mobile based and come out of credit cards ???????