The recent data breach at Heartland Payment Systems should make one thing clear: the standards for security around credit card numbers still aren’t good enough. New technologies are needed to ensure that credit card numbers and other forms of sensitive information can be protected well enough. It’s probably the case an entirely approach to information security is also needed.
Anyone who handles credit card information now needs to comply with the Payment Card Industry Data Security Standard (PCI DSS). Nobody likes to spend money to comply with new regulations, so there’s always grumbling from merchants about how expensive complying with PCI DSS is. But if you look at how much credit card information that’s compromised, it looks like PCI DSS really isn’t enough, and even more protection is needed. How much credit card information has been compromised?
Four researchers recently worked their way into the underground community of cyber-criminals to learn how the business operates. Their paper “An Inquiry into the Nature and Cause of the Wealth of Internet Miscreants” summarizes what they learned. One fact from this paper that’s particularly interesting is the fact that the amount of credit card numbers being sold by cyber-criminals outnumbers other types of sensitive data by a factor of over 20 to 1. There are way more credit card numbers available to cyber-criminals than there are Social Security numbers, bank account numbers, or ATM PINs.
It certainly looks like the PCI DSS isn’t enough to stop the wholesale theft of credit card numbers. It’s a good first step, but it’s not quite enough. Keeping credit card numbers safe will probably require shifting to a new idea of what security means and how to implement it.
Current security architectures try to protect data by keeping hackers out of the networks where sensitive data is processed. Inside the network, however, data is often relatively unprotected. This was the case at Heartland, and it let hackers collect credit card numbers as they moved through the network once it was penetrated. Heartland did a great job of complying with the PCI DSS, but that wasn’t enough, because the hackers took advantage of weaknesses that the PCI DSS doesn’t address.
An alternative is to protect the data itself instead of protecting the network. In a data-centric model of security, sensitive data is encrypted and stays encrypted until it’s needed for processing. This means that as sensitive data moves through a network it’s still encrypted and useless to any hackers who might be able to collect it. It also means that it’s still encrypted while it sits on the server that it reaches after it moves.
This is quite a bit different from the way things are done today. Database encryption, for example, stops protecting data when it leaves the database, leaving it vulnerable to eavesdropping by hackers. The data-centric model, on the other hand, doesn’t leave gaps like this. It always protects data, no matter where it goes. When it does this, it provides the best way to defeat the determined and well-funded cyber-criminals like those that compromised Heartland. It may even turn out to be the only way to defend against them.