Blog post

Reflections on RSA and the need for Retailer Information Sharing

By Avivah Litan | March 04, 2014 | 1 Comment

Just got back from the 2014 RSA Security conference where I had lots of stimulating conversations with colleagues in the security industry. What stood out the most to me was the dearth of information sharing in the retail payment card industry. You’d think that the PCI Security Council would promote information sharing on threats and POS malware to help retailers prevent breaches against their systems. But instead that task has fallen largely to well-known security blogger Brian Krebs who has to sleuth his way around the underworld and the opaque payments industry to uncover the truth about breaches against retailers. See

Big buzz at the RSA conference – Who will be or already is the next Target? Which retailer got hacked this time? And what solutions can prevent this madness?

Information sharing is not easy in Retail Payments. I have colleagues who would like to share specific information on the behavior of malware attacking retailers but are shut down by lawyers for retailers, POS software vendors, insurance companies and more. This makes no sense to me when information sharing that provides safe harbor for those who disclose and confidentiality for the victims is exactly what is needed to help stop future attacks.

The legal issues are thorny and complex.

But at least there is progress being made on structuring threat intelligence information so that information that is shared can be read by machines as well as humans. At least one threat intel firm, Fox IT, is working with the Mitre Corporation on structuring the presentation and dissemination of threat intelligence to commercial entities using standard protocols. Mitre has been a major player in developing the STIX and TAXII standard protocols for threat intel in the government.

But what good are these standards if the lawyers stop the information from getting out? What ever happened to Obama’s Executive Order to promote threat intelligence and give safe harbor to those who provide it? Progress is slow in the government although things are moving. See

I’m not optimistic that the situation will substantially change in the near future so until then, the only ones who win are the criminals. And the only ones who disseminate the threat information are journalists like Brian Krebs who have to go to extraordinary lengths to get the information in the first place. And they do so without any safe harbor. In fact if I were Brian I’d be more worried about the lawyers than the criminals.

Comments are closed

1 Comment

  • Matthew Cook says:

    We’re seeing this impacting online gaming more and more, too, as publishers move from a traditional product-focused monetization strategy to a free-to-play with optional ‘freemium’ elements that rely on maintaining a relationship over time. Many of the publishers we’ve spoken to have specifically mentioned the opacity in transactions after they’re sent to the credit card company, combined with the fact that many transactions are accepted by the card processor, then later are charged back. This can ruin even an established publisher with tens of thousands of converted customers as these issues directly impact their bottom lines…

    Congrats on the Krebs link – good article.