Wow! Are we all PCIed out? The Network Solutions breach was announced on Friday 24th, and four or five days later we still haven't heard any accusations about whether they were or were not PCI compliant!
Perhaps that sinking feeling is transforming into a realisation that there's not much that PCI compliance can do to thwart these sophisticated attacks. A security policy and audit regime might deter amateurs and reduce accidental breaches, but it will never
stop organised crime gangs let alone insiders lured by the easy money to be made from lifting 573,928 credit card records.
Forrester estimates that the cost of a data breach for a large organisation is around $200 per compromised record, or $100,000,000 for Network Solutions. It's a reasonable estimate when you think about all the hoops they are now jumping through:
- forensic investigations (according to
Data Loss DB, Network Solutions seems to have taken 6 weeks after detection before making its announcement -- fair enough too, to get to the bottom of the incident)
- managing relations with each of the 4,343 affected merchants (if you spent just one day with each merchant helping them through this, that's 21 person-years effort. And you can bet senior management would be putting in some over-time)
- managing relations with the other 6,000 merchants not affected
- helping merchants help their customers (ouch)
- paying for 12 months of free credit watch services for half a million card holders
- media, media and more media
- legal costs
- lost business.
We will never rid ourselves of credit card fraud and ID theft until we make stolen personal data worthless. The much hyped end-to-end encryption as currently conceived won't provide any fundamental protection, because it doesn't stop replay of stolen numbers,
so stolen data will remain highly prized. If criminals today have the wherewithall to install sniffer code inside Network Solutions' servers, then they will be able to play the same game behind one end of any future end-to-end encryption layer.
Many of us believe the fundamental fix lies in chip technologies. CAP was a good start, but it's frustrating to use and it doesn't scale well because it still requires centralised servers to validate the received CAP codes. The bulk of
my company's research has been on a longer term digital signature based solution that uses chip cards in connected readers (as
showcased by Finextra at the beginning of the year) to create tamper proof transactions that are faster and simpler for merchant servers to validate for themselves.