Trying To Protect Payment Data When You Can’t Even Find It All

Podcast on StoreFrontBackTalk.com - November 28, 2008
Evan Schuman, moderator / David Taylor, security specialist / J.D. Oder, the chief technology officer at Shift4

Transcript

Evan: Welcome to today’s edition of the storefront backtalk pod cast series on security strategy and simplifying PCI. I’m Evan Schuman.

Evan: It’s the IT executive’s most frightening public service announcement commercial. It’s 2 am; do you know where your data is? Far more often than most board of directors want to know, the answer is no. That might be because of a recent power outage and the lack of clarity on the policies of AmeriData site. What happens to the emergency backup disc after the crisis is over? Is there a firm policy on that? Or the missing data might be hidden away in a memory stick dropped behind an airplane seat cushion or it could be on a PDA stolen from the convention floor. A week of exhaustive data sanitation might be futile when a laptop carrying a copy of some forbidden credit card files is brought back in from home and re-synced to the network, re-contaminating the just sanitized database. Even more frightening, it might be a small marketing droop that retains slices of credit card information for an experiment that was never approved by corporate and that no one is going to remember until a cyber thief stumbles upon it in about nine months.

Evan: With us today to try and figure out if there even is a way for IT to regain control of their most sensitive data are two security veterans. We have with us today Mr. David Taylor, the founder of the PCI knowledge base, a former security analyst with Gartner and most importantly current PCI columnist with us right here at storefront backtalk. Joining Dave today is Mr. JD Oder, founder and chief technology officer for Shift4. Thank you gentlemen both for joining us today.

Evan: JD let me ask you to dive in first. How much of this can be addressed by strict enforcement of policy as opposed to trying to change employee attitudes, in other words attacking the human factors.

JD: You can of course strictly enforce things, you can beat your employees over the head with a stick, and try to keep them constantly towing the line, but I think at the end of the day you can have a very, very positive eager employee, you know your $6-10/hr clerk, you know, working at a retail store, and they can feel they’re doing everything right. They’re using the pens on the dollars, they’re checking the credit cards, they’re making sure that they look at everyone’s driver’s license perfectly. They do everything right, but I think it’s more about the fact that they did everything perfect but then the infrastructure failed. I think the challenge we run into with policy is that policy are words and it’s the actions and ability to basically stay focused on a day to day basis. When you have an individual, let’s say an IT person, and that person is in control of this data. You know again, IT people are people. They make mistakes and when you make a mistake that’s where breaches occur, so what your goal is I think in any kind of PCI simplification process is to try to come up with solutions, and it’s a systemic approach, it’s not just about policy. It’s about coming up where putting technology in place, that’s things like standard stuff that we hear about in the PCI such as intrusion detection and firewalls and these sorts of things but it also plays into technology, especially that Shift4 offers, such as tokenization and our forego cart information replacement technologies simply because what you want to do is try to remove the data when possible, when it’s not possible take the approach that encryption where it’s necessary. And that’s really the only way you can do it to take that whole systemic approach.

Evan: Dave, what do you think? Is that the best way to go?

Dave: Well I think we can actually attribute the whole problem to Al Gore and Bill Gates. Basically it’s Al Gore’s fault for bringing us the internet and Bill Gate’s fault for bringing us the PC. Cause back in my day when we all had mainframes and 32-70 terminals, we didn’t have these kind of problems. And facetiousness aside, essentially one of the ways to do this is to move back to an architecture with centralized computing and virtual terminal devices and so the less storage you put in the hands of individual employees, the less likely they are to be able to put data in a whole bunch of places, whether that’s USB sticks or on their PCs or in their email messages that are sitting on servers all scattered over creation. The point is, it’s going to be incredibly expensive to do this, nobody is going to do it and so the bottom line is, assuming that we’re not going to change out our corporate architectures and head back to the 1960s in our DeLoreans, what we really need to do is look at how we reduce the volume of data that is all over the place and finding it, purging it is a necessary thing, whether you’re talking about creating data-pho diagrams by interviewing 40 or 50 people in an organization or whether you’re talking about disabling individual and user functionality so they can’t right-click on files and save them to their discs, so they can’t capture screens with credit card numbers or other numbers on it and save it to their disc or so they can’t do a bunch of things that locally save information that doesn’t really belong in a local location. What you really need to do, assuming that you try all those things and you try to educate people and all this other stuff that JD mentioned, where you’re really headed for is you need to move this data to as central a location as possible. That may be in a corporate environment. That may be in a third party that has access to your data but controls that access much more strictly than the typical retailer can possibly manage. But that’s kind of where we have to head with this. We either have to go back into the past or we have to greatly confine the data that we have here in the present to as few of locations as possible once we can find it.

Evan: It’s a very, very difficult decision. I remember talking to a CIO about 2 months ago and he was saying yes, on the one hand it’s easy to be in this security policy meetings and to maintain a very strict policy on data retention and how we handle it. And yet this same person being so strict on a Friday night saw 2 employees going back and they were bringing home laptops filled with data. I said, well don’t you want to discourage that and he said, no, I know what we said in the meetings but I’d rather get all this work done; we’re really behind schedule on 3 different projects. So you’ve ultimately got to make the decision of the efficiency and the workforce ability to get stuff done or do you strictly adhere to security? Cause there is a cost to this.

JD: Well, I think one of the things that you run into though is you have to think about what is the data being used for. That’s an interesting argument in saying that people take this data home. First off, if we’re talking about payment data, and I think that’s what we’re talking about here, is you have to make sure that people aren’t going to be talking payment data home on their laptops. One thing we’ve got to do is we have to identify why it is. Let’s say they are doing it for marketing or something of that nature. We have to determine how are they utilizing this data and is there something else that we can utilize instead. Things like appropriate hashing algorithms, data in a different form that represents the same data but can not ever be used as payment data nor stolen. Mechanisms such as tokenization, where you’ve got card replacement technologies, that sort of thing. Things like Shift4’s own forego solution where we can actually take the data directly from the swipe device and immediately encrypt it for end to end encryption technologies. You’ve got to take some of these kinds of things out of the hands, and I hate to sound like we have to be a bit parental but I think in many ways it really behooves those of us in the card payment space to try to come up with mechanisms for point of sale systems as well as for the merchants in general to be able to explain to them how they can perform the same actions that they’ve always performed but utilizing a number that ultimately, a number or a representation that basically can’t be stolen. I mean, the goal is that if they don’t have it then it can’t be stolen. And so that’s ultimately what we’re trying to do. Now, when you start getting into other types of provocative data, we have to discuss that as well and I think the key here is to look at this as a very, very corporate wide systemic type approach and look at all of the data that your storing including payment data.

Evan: Excellent. Well that’s a very, very interesting point and it’s a matter of whether discipline or IT rationale survives. Appreciate your time very much Dave and JD and thank you so very much for your thoughts today. A fascinating discussion. And we’ll be continuing this series on the next segment. For the storefront backtalk pod cast series on security strategy and simplifying PCI, I’m Evan Schuman.