Gartner Blog Network


Card Processor Breaches – Can You Really Fix a Broken Business Process?

by Ramon Krikken  |  March 30, 2012  |  2 Comments

Although we have little information available at the moment about the latest credit card processor breach (source: Krebs on Security), it is a good opportunity to continue the conversation on how the usage patterns of data in a business process change (or not!) the dynamics of security exposure.

Merchants have been able to take advantage of ongoing security advances. Tokenization in particular means that they need not worry as much about the existence of credit card data on their systems and networks. But at some point in the business process of taking and clearing a payment, someone needs to work with the actual card data … and that is where the processors (and ultimately, the banks – leaving out for a minute the trickle-down effect on merchants and consumers) are exposed to risk – and a highly concentrated risk, at that. Notwithstanding all the valiant efforts by all parties involved, encryption and monitoring – as opposed to rolling out more fundamental changes to payment processing – really only get you so far in reducing the exposure.

The point here, of course, is not about payment processors per se. It’s about how large risk aggregations can create these near all-or-nothing situations. And these aggregations are in large part due to risk shifts created by business processes that, at least in some point in time, shift the majority of the exposure to certain parties, systems, networks, etc. And even though doing so, rather than fixing the business process (or, in some cases, slowing down change – can you hear me, smart grid?), may be the most economically or politically defensible option, we cannot be surprised at the outcomes.

P.S. I agree with Adam Shostack — way to not do a breach disclosure folks, jeez.

[EDIT: Looks like the affected processor posted a statement – too bad the rumor mill got it first]

If the facts warrant more discussion, I will post a follow-up when more details become available. But I just couldn’t let a good “crisis” go to waste.

Category: security  

Tags: breach  business-process  payment-processing  pci-dss  risk-aggregation  tokenization  

Ramon Krikken
BG Analyst
2 years at Gartner
15 years IT industry

Ramon Krikken is a Research VP the Gartner for Technical Professionals Security and Risk Management Strategies team. He covers software/application security; service-oriented architecture (SOA) security; structured and unstructured data security management, including data masking, redaction and tokenization...Read Full Bio


Thoughts on Card Processor Breaches – Can You Really Fix a Broken Business Process?


  1. Exactly right! Tokenization, End-to-End encryption and the PCI-DSS regime itself do nothing to stop stolen card details being used, so they do nothing to dilute the value of stolen data or remove the profit motive behind these mass breaches. In essence, stealing card data en masse remains stupidly easy to do. Find someone with administrator privileges inside a processor where unencrypted details must be passing by at some point, and bribe them.

    If we’re revisiting the problem, let’s be clear that the specific security problem is vulnerability to replay of card data. It’s a technology problem. We could stop it, by extending the anti-skimming properties of chip into all channels where cardholder data is presented, including CNP.

    http://lockstep.com.au/blog/2012/03/27/cnp-fraud-is-online-skimming

    We should render cardholder data useless to criminals, by making sure it cannot be replayed. This really is a straightforward technology problem.

  2. Stephen – yes, we could “stop” this by making changes how cards work. I put “stop” in quotes, because such changes such as chip-and-PIN are generally only bar-raisers, not outright stops. Generally speaking, developing a low-cost, multi-channel solution is challenging in any case. I’m looking forward to (or perhaps I worry about) emerging tech such as NFC payments.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.