If You Are “in the Cloud,” You May Still Be Exposed to PCI Compliance Risk

December 11, 2013 • Published Categories Best Practices, Industry Topics Tags , , , , ,

Here’s a news headline that is currently scaring security executives and causing a few sleepless nights: “NSA Has Hacked 50,000 Computers Globally.” What does this have to do with PCI compliance, you might ask? If the National Security Agency can easily hack into private computer networks, place malware that can report back and destroy when activated, and gather encrypted information, decrypt it and then use the data as it pleases, then organized crime may only be a few steps behind before putting their own version into cyberspace.

Previous horror stories now make sense

Over the past five years, quite a few lower level card issuers and acquirers, the ones that never appear in the press, were informed by the card associations that their systems had been hacked and that they may have been compromised, regardless of any segregation controls that may have been in play for control reasons. Deadlines for PCI compliance and a schedule of punitive fees were delivered, without the possibility of recourse or argument.

When pressed for specific evidence, these firms were advised spyware belonging to the Secret Service or some other undisclosed agency had detected the presence of known criminals on their servers. It was unclear if the crooks had walked off with any personal information or whether there would be any losses recorded at the point of sale, but the fines were levied until full compliance, including broad-based encryption techniques, was attained. For those that protested, they soon found that the card associations never overturn a previous ruling. Dictatorships work that way.

Why should an acquirer be concerned today?

PCI compliance standards are all about protecting financial information, personal data, or intellectual property of any kind, generally by using math-driven encryption techniques. The math, however, can be broken if the crooks can obtain your private keys, which are often handed over willingly to a third party, especially if you have joined the wave of companies outsourcing their processing to entities “in the cloud.”

“Cloud computing” is the term associated with these cost-cutting strategies. It has been a major trend of late in the software and hardware services industry. With respect to PCI DSS standards, there has been considerable debate in the interpretation of how cloud computing could be integrated into payment processing. The PCI Security Standards Council (SSC) published its guidelines on the topic earlier this year, thereby removing much of the confusion in the marketplace.

What is the lesson from the NSA news headline?

Data security, when using encryption methodologies, is only as good as the special keys that drive encryption in the first place. Ensure that your third-party service providers are protecting these keys and blocking access through a “back door” to derive their secrets. If NSA technology can perform this task, then assume that criminals can, too. If you can take back your customer keys, then do so.

News stories tend to focus on large breaches of security, yet the fact of the matter is that attacks against Level 4 and franchise merchants are on the rise in the United States. PCI DSS compliance standards may have been in the marketplace for nearly a decade, but the network of participants and service providers has only gotten more complex.

Concluding Remarks

Our Electronic Age has come with both benefits and risks. PCI compliance is but one attempt for addressing the latter in today’s fast-paced business environment, but the complexity of the industry suggests that industry experts, having faced many varied problems with creative solutions, may be your best bet for tackling these challenges.

Payment information to also read:



Leave a Comment