Although we have little information available at the moment about the latest credit card processor breach (source: Krebs on Security), it is a good opportunity to continue the conversation on how the usage patterns of data in a business process change (or not!) the dynamics of security exposure.
Merchants have been able to take advantage of ongoing security advances. Tokenization in particular means that they need not worry as much about the existence of credit card data on their systems and networks. But at some point in the business process of taking and clearing a payment, someone needs to work with the actual card data … and that is where the processors (and ultimately, the banks – leaving out for a minute the trickle-down effect on merchants and consumers) are exposed to risk – and a highly concentrated risk, at that. Notwithstanding all the valiant efforts by all parties involved, encryption and monitoring – as opposed to rolling out more fundamental changes to payment processing – really only get you so far in reducing the exposure.
The point here, of course, is not about payment processors per se. It’s about how large risk aggregations can create these near all-or-nothing situations. And these aggregations are in large part due to risk shifts created by business processes that, at least in some point in time, shift the majority of the exposure to certain parties, systems, networks, etc. And even though doing so, rather than fixing the business process (or, in some cases, slowing down change – can you hear me, smart grid?), may be the most economically or politically defensible option, we cannot be surprised at the outcomes.
P.S. I agree with Adam Shostack — way to not do a breach disclosure folks, jeez.
[EDIT: Looks like the affected processor posted a statement – too bad the rumor mill got it first]
If the facts warrant more discussion, I will post a follow-up when more details become available. But I just couldn’t let a good “crisis” go to waste.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.