Although we have little information available at the moment about the latest credit card processor breach (source: Krebs on Security), it is a good opportunity to continue the conversation on how the usage patterns of data in a business process change (or not!) the dynamics of security exposure.
Merchants have been able to take advantage of ongoing security advances. Tokenization in particular means that they need not worry as much about the existence of credit card data on their systems and networks. But at some point in the business process of taking and clearing a payment, someone needs to work with the actual card data … and that is where the processors (and ultimately, the banks – leaving out for a minute the trickle-down effect on merchants and consumers) are exposed to risk – and a highly concentrated risk, at that. Notwithstanding all the valiant efforts by all parties involved, encryption and monitoring – as opposed to rolling out more fundamental changes to payment processing – really only get you so far in reducing the exposure.
The point here, of course, is not about payment processors per se. It’s about how large risk aggregations can create these near all-or-nothing situations. And these aggregations are in large part due to risk shifts created by business processes that, at least in some point in time, shift the majority of the exposure to certain parties, systems, networks, etc. And even though doing so, rather than fixing the business process (or, in some cases, slowing down change – can you hear me, smart grid?), may be the most economically or politically defensible option, we cannot be surprised at the outcomes.
P.S. I agree with Adam Shostack — way to not do a breach disclosure folks, jeez.
[EDIT: Looks like the affected processor posted a statement – too bad the rumor mill got it first]
If the facts warrant more discussion, I will post a follow-up when more details become available. But I just couldn’t let a good “crisis” go to waste.
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
Fundamental Principles of Software Asset Management
Whether you've got too much software or not enough, uncontrolled software costs are a drain on your IT department, consuming resources...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.