What's Old is New Again for Europay, MasterCard, & Visa
In light of the recent breaches, we anticipated that everyone would start talking about what to do to prevent these attacks. Well, that is exactly what is happening. The Senate Judiciary Committee held a hearing on Tuesday, February 4, 2014 with Target Chief Financial Officer John Mulligan, where he apologized for the massive data breach that occurred over the holiday shopping season.
Mulligan (pictured on left) also offered up a “solution” to the problem, saying “We believe that chip-enabled technologies are critical to providing enhanced protection for consumers.”
For many unfamiliar with the intricacies of information security, it sounds likeEuropay, MasterCard, and Visa (EMV) is the silver bullet we have been looking for.It’s not.
Everyone is jumping on the cyber security bandwagon, from mainstream news outlets, to congress and general consumers. Senators are calling for a government takeover of private sector security, while others think voluntary self-assessment regulations are enough.
Let’s set the record straight:
Visa was drafting a security standard back in the late 1990’s, called the Cardholder Information Security Program (CISP). This program set the stage for what is now the Payment Card Industry Data Security Standard (PCI-DSS). With over 220 controls, the standard is very thorough in its security requirements, including annual testing and validation.
Larger retailers like Target are required to have a third-party annual review of their Cardholder Data (CHD) compliance program, with an attestation. The PCI regulations are enforced and monitored by the private sector with no federal oversight or involvement. With that in mind, let’s review some comparable federal regulations.
Take the Health Information Portability and Accountability Act (HIPAA) enacted in 1996. Until 2010, no health provider was audited for their compliance to HIPAA. In fact, as of today, most healthcare providers are self-certified as HIPAA compliant. So does a federal mandate help security in the private sector? The answer is no.
Let’s also review privacy, probably the most talked about data element, with very little done to secure it. The federal government is good at telling private companies what to do, but the enforcement is purely reactive. Case in point, the Federal Trade Commission (FTC) will come in after a breach and impose fines, and then mandate that an organization build a security program.
For a moment, let’s assume we could travel back into time to June 2013, and wehave the ability to implement EMV. Would we have prevented these recent breaches?
Target had 40 million credit cards compromised, but what about the other 70 million records? Well those records were consumers’ personal data, such as phone numbers, addresses, emails, etc. So yes, EMV may have potentially prevented 40 million credit cards from being compromised, but the other 70 million consumer data records not tied to a card would have still be leaked since PCI and EMV are all related to CHD, nothing else.
The bottom line is that organizations need to start looking at building a security program that will address all types of data. Instead of being reactive in this approach, let’s be proactive. If we continue to have discussions just around CHD, I guarantee that in six months the media will be reporting a breach of Personally Identifiable Information (PII), thus more hearings and more media coverage on yet another breach.
Let’s break this cycle and have companies start to implement a security program that will secure all the data these companies hold, rather than just implement a technology that will make one type of data more difficult to compromise. With an effective program, ALL our data (the consumers) will be protected!