The payments industry never ceases to amaze me. My latest amazement is how our prodigies are chosen when it comes to security. Here are three examples and if anyone has any explanation why, please feel free to post your thoughts:
(I'll keep the company and personal names out of this; if you're familiar with the industry, you know who I'm talking about)
First on my hit list, a prominent payment processor promoting a new security technology was a victim of one of the largest data breaches exposing credit card information. This by itself is not an issue because a breach can happen to anyone. What baffles me is that proper deployment and use of existing encryption technology could have prevented their breach. This seems like a deflection tactic: instead of shoring up our security gaps, we'll head up the development of a new theoretical technology where no one needs to be secure. This is the example of a perfectly executed public relations campaign.
Next on my list, the Visa poster child for how a POS company should tackle security is probably the biggest factor in requiring CISP and later PCI. Security was all but completely ignored in all pre-2003 versions of their software; card holder data was stored in plain text in various files, remote access with administration level privileges all shared the same login credentials across the entire merchant base, system level administration access was required for all stations and the installation of anti-virus software was frowned upon (all practices that directly oppose security best practices). Then overnight – presto-chango – the model POS vendor for security (even though their application was not truly PCI compliant out-of-the-box until 2008).
Last on my list is a large merchant and victim of a breach that is now doing the "learn from our mistakes" tour. Don't get me wrong; someone who's been on the breach hot seat is the best speaker for convincing merchants to be secure. But let's get all the facts out. Less than two years earlier the decision makers at the company nixed a proposal that could have prevented their breach. Nixing a proposal is not the issue here, it's the reason given: "we don't need that technology, our systems are already secure." I've not heard this little fact on the "woe is me" tour, instead "we were just an innocent victim."
I promise, I'll be in a better mood next time. ;-)
No comments:
Post a Comment