Paul Hampton, Payments and Crypto Management Expert, SafeNet
The use of online banking and shopping has grown significantly[i], but so too has the number of security threats targeting such services. Every day we hear of another company falling foul to a data breach, with nearly 200 million records stolen in the first quarter of 2014, so protecting financial data has never been more important. Yet, while the need to secure payment transactions and data remains critical, it doesn’t seem to be getting easier.
Today, security teams have to contend with increasingly sophisticated attacks, a technological environment that is evolving rapidly and compliance with multiple standards and regulations. Add this to the fact that any transaction relies on a complicated ecosystem with multiple points of vulnerability and it’s clear that securing financial data is far from simple. So what steps should businesses take to ensure that their most sensitive data remains protected?
Where do the vulnerabilities exist?
In order to protect data in the best way possible, businesses must first understand the vulnerabilities – one of which is the payment ecosystem. A successful transaction relies on a complicated ecosystem with many potential points of vulnerability and involving several parties, including the merchant, acquirer, switch and bank or card issuers. This ecosystem is only as strong as its weakest link. Another major point of vulnerability is the internet. Today, just about every business has an eCommerce site which aims to securely capture and process customer data. But when the customer makes a purchase, the business loses control of a large portion of the transaction interaction as customers use a variety of devices, operating systems and browsers to access eCommerce sites. It is becoming vital for businesses to protect their customers’ data as early in the transaction process as possible.
Another vulnerability is the gap between compliance and security. Merchants have been subject to a myriad of compliance requirements around how to handle customer data and process transactions, such as the Payment Card Industry Data Security Standard (PCI DSS). According to our Secure Payments survey, one-third of respondents spend more than six weeks a year complying with card schemes’ regulations, yet these guidelines fail to address some key areas of vulnerability in the payment ecosystem. Areas which have been exploited with disastrous consequences – for example, 70 million customers were affected by the Target customer credit card data theft in December 2013.
Why a ‘secure breach’ mind-set is best
With so many points of vulnerability, organisations must adopt a framework where data is central. This means adopting a ‘secure breach’ approach to data protection which focuses on protecting sensitive data wherever it exists and limiting access to this data, even when it lives in an uncontrolled, untrusted environment.
Today, Point-to-Point Encryption (P2PE) is the best method of protection. Rather than focusing on specific points of vulnerability, P2PE uses special payment terminals to encrypt card data at the earliest possible moment of its capture, ensuring that data remains in an encrypted state consistently until it arrives at the payment gateway. This means that even if an external attacker bypasses perimeter defences, or an unauthorised internal user looks to leak or steal data, the data remains protected.
This approach not only increases security, but also dramatically reduces the scope of PCI DSS compliance for merchants of all sizes. In fact, recent breaches in the retail industry, including those of retailer Office and eBay, may have been greatly mitigated by the use of Point-to-Point Encryption. Yet according to our research, only 24% of respondents are currently implementing P2PE solutions.
The detail: pay attention
For organisations that manage sensitive data, whether payment card information, personally identifiable information, or other sensitive records, safeguards need to be applied, both to guard against security threats and ensure compliance with privacy and security mandates. However, encryption alone is only part of the solution. Encryption keys need to be preserved in a secure and reliable manner. But, surprisingly, one of the most common mistakes that organisations make is storing encryption keys where the data resides, thus exposing sensitive information to significant risk.
Perhaps the problem is that currently, many teams that are responsible for key management, are small and distributed, or significantly contributing to their organisation’s heavy compliance workload. According to our research, two-thirds have four or less people involved in key management. So, to succeed in meeting administrative demands and security objectives, it is imperative security teams begin to leverage more centralised, efficient, and secure key management platforms.
Organisations should invest in a standards-based enterprise key management platform or strategy that can be used to control keys over their life cycle. This strategy should include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for them as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who could then access cardholder data.
A security strategy with data at the heart
As hacking attempts become almost a daily occurrence, being breached is not a question of “if” but “when”, so best-practice data protection is vital. CIOs have long considered the best defence to be a good offense when it comes to handling security threats. But in the new reality of security, the best offence is now the best defence, and encryption is the key to that strategy.
For security teams tasked with safeguarding payment data, demands for encryption and key management are only increasing, both in scale and urgency. Sensitive information must be secured across the entire lifecycle, which means leveraging approaches like centralised key management and P2PE will be more critical than ever. Only such a data centric approach will leave companies safe in the knowledge that their data is protected, whether or not a security breach occurs.
If you are worried your company may have suffered a data breach, why not assess the severity of the breach using our Breach Level Index here: http://www.breachlevelindex.com/
[i] According to the UK Cards Association, the UK is Europe’s leading online shopping economy with spending by British
consumers online growing by 16 per cent in 2013 to reach £91 billion. http://www.theukcardsassociation.org.uk/news/EOYFFfor2013.asp – March 2014