Authors: Mike Gentile, CISSP, Co-Founder, CISOHandbook.com/Traxx Consulting Services; Ron Collette, CISSP, Co-Founder, CISOHandbook.com/Traxx Consulting Services; Justin Seely, Writer, CISOHandbook.com

For many organizations that process credit card transactions, compliance with the standards set forth by the Payment Card Industry (PCI) has been a large component of their security program project agenda. Thousands of security professionals are scurrying to implement the list of controls that are required, which to the credit of the authors of the standard are fairly defined and clear. Of course, this article is not about what has been identified within the standard, but instead what has clearly been left out. The PCI phenomenon is yet another classic example of how, as a security community, we fail to address security from a comprehensive (People, Process, Technology, and Facilities) perspective, instead focusing on only a single dimension. In the case of PCI, as is common with most security standards, technology is clearly the focus. The point of this article is to illustrate the impact that such a myopic approach has on all of us.

We will begin by using an example that is based upon a recent incident from one of the writers at CISOHandbook.com. It was this occurrence, in addition to the experiment that followed which led to the development of this commentary. For the purposes of this article, we will refer to him as Joe to protect his anonymity.

During a recent trip to Las Vegas, Joe lost his driver’s license (somewhere between Mandalay Bay, the airport, and most likely the bar); a common story, with a fairly common outcome. Upon arriving home, he went through the process of working with the Department of Motor Vehicles to obtain a replacement license, placing a fraud-watch on the credit report, and all the miscellaneous tasks that are required when anyone loses personal information and credentials. This was not the first time that Joe had lost his wallet, but the difference between this time and the first time was striking.

The first time Joe lost his license (6 years ago), it was virtually impossible to make a purchase on a credit card without the clerk requesting a photo ID for verification. As a security professional, Joe wasn’t about to complain about this procedure, and was able to remedy the inconvenience by carrying his passport wherever he went until the replacement license arrived.

When Joe returned home from Las Vegas this time, remembering his previous experience without an id, he immediately started carrying his passport with him everywhere he went. He realized quickly though that this was now an unnecessary precaution. Over the course of the next two months, he used his credit card 64 times. During this period he was only challenged for photo identification a total of 5 times. Below we have listed the establishments that did request identification (Bravo!).

• Twice at a movie theatre
• Twice at Costco
• Once at a supermarket

What is interesting to note is that of the three places that did check his ID, two of them checked it both times he tried to use his credit card…Good job guys and gals! Even more interesting is that his credit card states “see id” on the back, yet it just didn’t seem to matter. So why is this happening?

Our team believes the reduced importance of checking ID is driven primarily by 2 items.

1. The Emphasis By Credit Card Companies Away From Security Towards Speed of Transaction – Credit Card companies are a classic example of a project that adds a requirement (quicker transaction time) at the expense of security (reduced factors of authentication). Even worse, they have made the decision for all of us, by promoting credit card equipment that puts the majority of work during a retail transaction on the customer, not the merchant. In fact, in many establishments the merchant does not even have to touch a credit card anymore, making it easier for them to ignore security. The other issue worthy of note is that credit card companies are pushing for even less interaction for transactions in the future. Many are proposing that credit cards become swipe-less, sending wireless signals that automatically pass the credentials to the merchant. This will clearly limit the need for cashier interaction even further. Now maybe going swipe-less is the right solution, but what is interesting about this is that everyone is focusing on only the technical vulnerabilities and concerns with using swipe-less credit cards. Few are paying attention to the fact that this type of transaction further eliminates a factor of authentication, as well as the majority of human interaction (more on the importance of this shortly).

2. Merchants are often not security experts and will only do the minimum that is required. Anything else is often not cost effective – To be honest, who can blame them. If the requirements of PCI are not going to identify the people, process, and facilities portions of security as also being important, then why should the merchant care?

Of course, our test wasn’t scientific, and from a risk viewpoint it only focused on the perspective loss of one credit card transaction by an unauthorized user. This is different from the overall focus of PCI, which is for the most part to help organizations protect the collections of credit card data they maintain. However, our little test still does identify some trends that we believe have some interesting influences on overall security, and transcend directly into the goals of PCI.

The first side effect is the removal of the emotional aspects that a criminal feels when attempting credit card theft. In our world today, we are all starting to lean on technology to facilitate our interpersonal interactions, whether it is instant messaging, email, or in this case having a credit card transaction completely handled between only the credit card reader and the customer. It is our opinion that it is more difficult to steal from someone when you have to look that cashier in the eye and have a dialogue, then when you can simply look down and swipe your stolen credit card all the while keeping to yourself.

The second side effect that is interesting to note is a push for employees in general to depend only on the technology they are using to provide all of the security for the task at hand. In our study, we discovered that cashiers at many stores are trained to only ask for id when prompted by the reader during a transaction; otherwise they do not need to. This is a security phenomenon that is becoming much more prevalent, not just with cashiers, but also within many other areas of an organization. For example, we see all the time network administrators who are only focusing on security when an event is identified on their intrusion detection systems, or regular employees who think security on their computers is only the job of the anti-virus running on the machine.

So what are the standards put forth by the Payment Card Industry doing to promote a more comprehensive view of security? Unfortunately, in our opinion, not very much. Case in point, of the twelve requirements of PCI, as outlined within the PCI Data Security Standards, 8 of them are strictly of a technical nature, 3 of them are process-related (barely), and only one of them addresses physical security. Sure seems like something is missing, oh yea, people related security controls. These controls often include critical items such as adequate training and awareness. So it’s no wonder employees on the front-line are only depending on the technology to provide the security function. What other tools and training have we provided to alter their behavior? What is truly sad is that a control like training is one of the most affordable, cost-effective controls to implement, yet it is nowhere to be found within the standard.

The bottom line is we (security professionals) can not continue to focus solely on technology when addressing security issues or in this case protecting all of our credit card data. Come on PCI-folk, you have the opportunity to affect the security attitude and habits of thousands of organizations around the world. If you can’t or won’t get it right, then how do you expect anyone else to? And by the way, as far as the CISOHandbook.com team is concerned, we still want our merchants to check our ID every single time we use our credit card in person!

Mike Gentile, CISSP- Managing Partner, Traxx Consulting Inc.
(mike@cisohandbook.com) Mr. Gentile is a founding partner with Traxx Consulting Inc. He has been involved in various management, consulting and architectural roles for organizations that range from small startups to Fortune 500 organizations for the past 12 years. His accomplishments include the deployment of multi-million dollar technology infrastructures, complete security program development, and leadership for IT architectural and policy based projects aimed at regulatory compliance. Specifically, he has managed the deployment of numerous solutions to address requirements for HIPAA, PCI, GLBA, SOX, and SEC17a.
Mr. Gentile’s educational background is well rounded holding a BS in Finance from California State University at Sonoma and numerous professional certifications including: CISSP, MCSE (Microsoft Certified Systems Engineer) (4.0), MCSE + I(4.0), SDCA, and is a Certified Check Point Instructor. Mr. Gentile also serves as a contributing research analyst for Computer Economics (www.computereconomics.com) in the area of information security.

This entry was posted on Wednesday, June 13th, 2007 at 10:40 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.