Monday, May 28, 2012

Over One Million Records Compromised in a Few Weeks

Is there something in the water?

In the past few weeks we have seen over a million records containing personally identifiable information (PII) compromised in data security breaches at Higher Education institutions nationwide.  These are very high profile and damaging breaches.

First we read about the University of Maine being hacked.  That relatively small breach netter somebody 1175 Social Security Nubmers and 435 payment cards.  However, it was followed almost immediately by news that hackers successfully stole 350,000 personal records from the University of North Carolina at Charlotte.

Now during this Memorial Day weekend, we learn that hackers executed a "sophisticated and skilled attack" on the university's systems to grab 654,000 student and alumni records from the University of Nebraska.  The data in that breach included "Social Security numbers, as well as addresses, grades, transcripts, and housing and financial aid information. The database also includes information for alumni as far back as the spring of 1985, as well as for people who applied to the university but did not attend school there.

I doubt there is any relation between these data breaches except for one thing: the schools kept a lot of PII (sometimes including payment cards) and they didn't protect it adequately.  

The unfortunate part of all these situations is that they were and remain unnecessary.  PCI is not perfect, but it is prescriptive.  That is, it gives you rules for protecting all you confidential information, not just payment cards.  I have no insights into any of the data breaches noted above except what I read (which, of course, is always dangerous).  But I wonder if the controllers, foundation and development departments, and others responsible for the data followed some simple rules to protect the data?  

For example:
  • Did they restrict access to the data to only those staff with a business need-to-know (PCI Requirement 7)?  
  • Did they encrypt the data in the database (Requirement 3)?  
  • Was there an effective firewall separating the database from the Internet (Requirement 1)? 
  • Did all users have strong passwords, and did they use two-factor authentication when accessing the data remotely (Requirement 8)?  
  • And maybe most of all, how effectively were the PII databases segmented from the rest of the university's environment (Requirement "0")?
I don't know if these three breaches are the beginning of a trend.  Hoever, now may be a good time for everyone to look at PCI and what it can do to protect all of your institution's PII and keep you out of the headlines for reasons you really don't want to be there.

Friday, May 18, 2012

Guidance on Mobile POS Devices

The PCI Council has just released some very interesting (and brief, hence the "at a glance" designation) guidance on mobile payment devices and applications.  The document is quite interesting, and I recommend it to everyone who is looking at mobile devices for their campus for what it says and what it hints is coming.  I think that should include about every campus on the planet (and every retailer, too).

The Council acknowledges what we already know, namely that mobile payments are convenient and risky.  Therefore, the plan is to encrypt the card data at the swipe before it gets to the device so the phone is "out of scope."  To keep the phone out of scope, though, you need an "approved" card reader and a P2PE Solution Provider. "approved secure card reader"and "P2PE solution provider"?

The problem, of course, is there are precious few (if any) approved card readers, and absolutely no approved P2PE solution providers.  Those P2PE solution providers won't be available until this fall at the earliest.  Nevertheless, the PCI Council has pointed the way forward: forget putting a payment app on your iPhone, iPad, Android, or other device; and forget a card swipe dongle (of any shape or make) unless and/or until it is on the PCI PTS list.  The idea seems to be that any smartphone is going to be too risky for a merchant to use as a POS (or Point of Interaction, POI, in P2PE-speak) device.  

I have to wonder whether the many "sleds" that encrypt card data and are PTS certified would still count.  They should qualify as secure readers, but the problem is they go to the processor, and none of them is "approved" yet.  Darn, just as I was really getting to be a fan of the sleds.

Reading the PCI tea leaves is always risky, but here goes...  I predict that any number of things are going to be focused on P2PE, including mobile payments and a re-thinking of the (famous) PCI Frequently Asked Question 10359.  That is the one that says encrypted data are out of your scope so long as the ability to decrypt exists with a separate entity.  This poor FAQ has been stretched beyond its original intent.  I predict P2PE is going to both (a) be the only -- only! -- way to handle mobile transactions using an i-device, and (b) that the FAQ is going to be re-written to specify the only way to keep encrypted data out of scope is to have an approved P2PE solution.

This whole P2PE situation will be interesting to observe, and I suggest everyone involved with PCI monitor developments closely.  At the recent PCI workshop, we had an outstanding presentation and extended discussion of how to handle the growing business need for mobile payments.  I only wish this document was available earlier.  It begins to bring together so much of what we heard, both on mobile and P2PE.

At the EDUCAUSE Security Professionals Conference this week, I did a half-day session on P2PE and tokenization.  We covered a lot, but we only touched on mobile payments.  I have to admit that I didn't see this coming, but I should have.  It is so logical and completely in line with the direction the PCI Council is going.  That is, that personal smartphones are inherently insecure, so merchants need to keep them out of scope.  We all know that.  Except in this case, it took a little PCI wake-up call for me to get it.