Friday, August 21, 2009

A FIRST LOOK: Tokenization & End-To-End Technologies Combined

On August 12th, EPX (a third party payment provider) announced that it is joining end-to-end encryption with tokenization. I applaud their effort because I've stated, and I strongly believe that combining these two technologies is the strongest way to secure cardholder data. In the announcement, Matt Ornce, Chief Operating Officer for EPX is quoted: "There maybe are a few entities that have tokenization as a real product today, and there are a bunch of entities talking about doing end-to-end encryption for the merchant, but we haven't heard of anybody combining the two, much less delivering the product to the market." News flash, Shift4 prototyped this in late 2005, the same time they released tokenization to the public domain, and released a product to market in early 2006.

Monday, August 10, 2009

Who Breached Me?

In my last posting "Yet Another...", I wrote about a breach notification from Network Solutions, a payment service provider. Soon after the original posting, Evan Schuman from pointed me to the actual notification, which prompted a correction to my posting. While my initial ire was based on false assumptions, the final notification letter to consumers still included the merchant name even though Network Solutions was the entity breached and the service provider was accepting the blame.

During this discussion we had a brief debate about whether or not the merchant name should have appeared in the notification. This discussion gave me an idea to have a simple sparring session debating our different points of view using a simple 100 word or less argument for, argument against, rebuttal for, rebuttal against format. Before we begin, I want to thank Evan for participating and spending the time to put his viewpoint down. Here is the final result:

Should the merchant's name appear in breach notifications if the breach occurs upstream from the merchant and beyond the merchant's control?

ARGUMENT FOR the Merchant Name Appearing in the Notification - The retailer's name needs to be on that notification letter for two reasons. First, consumers only know the retailer's name. Give them a letter that doesn't say something they recognize and it will be thrown out. Secondly, a small retailer will be inclined to go with the lowest cost service. If they don't feel some pain if that service screws up, proper choices will never happen. This will insure that retailers make the best available choices, balancing cost versus security. Breach letters aren't supposed to be fun, but can be functional. Some good can be served.

REBUTTAL to Argument FOR the Merchant Name Appearing in the Notification - Consumers do need to know their card number was compromised but the merchant's name does not need to appear for the consumer to take notice. A notification from the consumer's bank is more credible than from TransUnion, the merchant or the provider that was breached. Second, price does not guarantee security. Case in point, Network Solutions is not known as the low price leader yet they were breached and their name appears in Visa's Global List of PCI DSS Validated Service Providers. This list should be of some value to the merchant beyond "you're required to use one of these." The card brands cannot expect the average merchant to spend days vetting providers.

ARGUMENT AGAINST the Merchant Name Appearing in the Notification - The card brands dictate that merchants must be PCI compliant and to be PCI compliant, merchants must use PCI compliant practices, applications and service providers. Visa publishes a Global List of PCI DSS Validated Service Providers. Since merchants are required to use vendors from this list, the card brands should provide some form of safe harbor, even if it's nothing more than not disclosing the merchant's name in the event that the service provider is breached. The card brands shouldn't expect all merchant to physically tour and spend days vetting these providers; the card brands should have done this when preparing the list. The merchant should not have their brand tarnished due to a security breach completely beyond the control of the merchant.

REBUTTAL to Argument AGAINST the Merchant Name Appearing in the Notification - The Safe Harbor concept is a wonderful theory, but in payment security, it doesn't exist, never has existed and truly can never exist. Retailers normally (the Network Solutions situation is the exception) have tremendous day-to-day influence on security, in the same way that a car can pass a state safety inspection but that doesn't mean the driver won't remove his brakes the day after the inspection. Given the influence a retailer has day-to-day, the merchant must assume responsibility. Besides, the breach letter needs to notify in a meaningful way.

Based on the arguments and rebuttals presented here, hopefully you can decide for yourself where you stand. My guess is your stance will be determined by whether you are looking at the issue from the merchant's perspective or the consumer's perspective. Either way, hopefully this gives you insight to the other side of the argument.

That was fun. I enjoyed sparring with Evan and I hope he enjoyed it as well. I'm sure this argument/rebuttal format will be used again to debate other issues. Until next time...