Gartner Blog Network

Reflections on RSA and the need for Retailer Information Sharing

by Avivah Litan  |  March 4, 2014  |  3 Comments

Just got back from the 2014 RSA Security conference where I had lots of stimulating conversations with colleagues in the security industry. What stood out the most to me was the dearth of information sharing in the retail payment card industry. You’d think that the PCI Security Council would promote information sharing on threats and POS malware to help retailers prevent breaches against their systems. But instead that task has fallen largely to well-known security blogger Brian Krebs who has to sleuth his way around the underworld and the opaque payments industry to uncover the truth about breaches against retailers. See

Big buzz at the RSA conference – Who will be or already is the next Target? Which retailer got hacked this time? And what solutions can prevent this madness?

Information sharing is not easy in Retail Payments. I have colleagues who would like to share specific information on the behavior of malware attacking retailers but are shut down by lawyers for retailers, POS software vendors, insurance companies and more. This makes no sense to me when information sharing that provides safe harbor for those who disclose and confidentiality for the victims is exactly what is needed to help stop future attacks.

The legal issues are thorny and complex.

But at least there is progress being made on structuring threat intelligence information so that information that is shared can be read by machines as well as humans. At least one threat intel firm, Fox IT, is working with the Mitre Corporation on structuring the presentation and dissemination of threat intelligence to commercial entities using standard protocols. Mitre has been a major player in developing the STIX and TAXII standard protocols for threat intel in the government.

But what good are these standards if the lawyers stop the information from getting out? What ever happened to Obama’s Executive Order to promote threat intelligence and give safe harbor to those who provide it? Progress is slow in the government although things are moving. See

I’m not optimistic that the situation will substantially change in the near future so until then, the only ones who win are the criminals. And the only ones who disseminate the threat information are journalists like Brian Krebs who have to go to extraordinary lengths to get the information in the first place. And they do so without any safe harbor. In fact if I were Brian I’d be more worried about the lawyers than the criminals.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on Reflections on RSA and the need for Retailer Information Sharing

  1. Matthew Cook says:

    We’re seeing this impacting online gaming more and more, too, as publishers move from a traditional product-focused monetization strategy to a free-to-play with optional ‘freemium’ elements that rely on maintaining a relationship over time. Many of the publishers we’ve spoken to have specifically mentioned the opacity in transactions after they’re sent to the credit card company, combined with the fact that many transactions are accepted by the card processor, then later are charged back. This can ruin even an established publisher with tens of thousands of converted customers as these issues directly impact their bottom lines…

    Congrats on the Krebs link – good article.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.