Money, Money, Money

How companies can keep payment information secure as it travels the information highway

May 26, 2016

Ronnie Garrett, Editor

Liza Minnelli once crooned, “Money makes the world go round.” But have you ever thought about what it takes to get money around the world?

On the surface, the payment ecosystem seems simple; it’s a system of hardware and software that transfers money from payer to payee. But dig in a little deeper, and this simplicity erodes to expose a more complicated journey that moves money from one party to another across the information highway.

Every company operates a payment system, whether it exists for general financial transactions or for consumer purchases. And, in every case, several entities are involved in processing payments from start to finish. It begins with card holders and their credit cards then moves to merchants and point-of-sale (POS) systems, card brands, issuing banks and card processors. All of the systems connect to the Internet, making them an attractive target to hackers who range from the kid who knows his way around a computer to the sophisticated crime ring capable of infiltrating the most hardened security system.

With IBM’s 10^th annual “Cost of a Data Breach Study” finding that the average consolidated total cost of a data breach is $3.8 million, up 23 percent since 2013, it behooves all companies to spend the time and the money to properly protect payment processing.

An Eye on PCI

According to the PCI Council, companies should not store cardholder data without encrypting it, and must also protect card readers, POS systems, networks and wireless access routers, payment card data storage and transmission, payment card data stored in paper-based records, online payment applications and shopping carts from hackers. The PCI standard then details how companies can harden these systems to cyberattacks.

“Adhering to PCI standards, if nothing else, is a great start to protect your business,” states Paul Hirschorn, chief technology officer of PEX, a firm that offers prepaid debit cards to businesses seeking to control spend.

But on the flip side, Sam Kassoumeh, cofounder of Security Scorecard, a security rating and benchmarking platform, cautions that companies engaging in compliance-driven security and little else put themselves at risk. “A company should never build a security program because they have to, because credit card companies mandate them to, and they should never use PCI controls to govern how they do business across the industry and in their organization,” he says.

He recommends companies engage in security-driven compliance instead. In other words, do whatever it takes to secure the data in your system, even if it goes beyond what PCI requires. The PCI standard asks more than 200 granular questions, and if a company’s networks are complex and worldwide, implementing this standard can be a complicated endeavor. But if a company has a mature security program in place because they engage in security-driven compliance, they often can readily meet PCI guidelines because they’re already doing more than the standard requires.

Steps to Better Cybersecurity

The first step toward adequately securing payment systems is designating an employee or team of employees to oversee payment card information. “This is a key function that every company must have” Kassoumeh says. “It always starts with the people who have the expertise to ensure the security; if you don’t have the people, there is no system you can buy and no amount of money you can spend that will keep the information secure.”

This security team must possess a complete understanding of the company’s payment ecosystem. When credit card numbers are swiped, where do they go? What data centers do they pass through? Is the information encrypted or decrypted as it takes this journey? Knowing these things helps guide the level of encryption the data requires; encryption levels vary if the credit card information is at rest or in transit.

PCI Standard section 3.5 provides guidance on protecting credit card and cardholder data. Kassoumeh explains this section talks about encrypting data at rest and giving only a few employees the ability to encrypt and decrypt the information. It also recommends that companies segregate this data. “If a credit card number transits through my corporate office, then my satellite offices, then to a storage information center, payment center, and finally the payment card processor, that’s a pretty large footprint, and I have to ensure that entire footprint meets PCI standards,” he says. “I recommend keeping a very, very small footprint for credit card information. Companies that do it best have a small data center that is segregated and has higher, more restrictive security controls than the rest of the company’s network.”

He also recommends placing data in an area that is less obvious for hackers to find. For example, if Amazon is the company’s usual data center, the company might want to store the information under another brand, such as Rackspace. “I segregate it, encrypt it, and have a short list of administrators that protect and monitor the data, and that’s just for data at rest,” he says.

When in transit, encryption methods must be stronger; at minimum companies need to use Transport Layer Security (TLS) 1.1. “There are various encryption strengths that you can be using. Advanced Encryption Standard (AES)-256 is on the strong end of the spectrum, but you can do better than that,” says Hirschorn. “There are PCI guidelines on how you should treat encryption keys, who should know them, how to document who has knowledge of these keys and so on.”

Keeping security patches updated is also critical. If a card processor uses software to encrypt and protect credit card data, but runs version 4.0 when version 5.0 is available and has additional security controls, then the system is vulnerable. “If a system is using an old cryptographic library that can be broken, that’s when we start seeing problems,” Kassoumeh says.

Once a security system is in place, periodic third-party penetration testing comes next. In other words, hire white hat hackers to exploit the system. “PCI mandates it for companies processing 1 million credit cards a year, but it’s a worthwhile endeavor for any company. It’s important to know what your weaknesses are before hackers figure them out,” states Kassoumeh.

Regular monitoring should occur between penetration tests. Employ intrusion detection systems to look for unusual activity on the network and notify network administrators when such events occur. If that system is set to look for 16-digit card numbers and sees that type of data passing through, this allows the company to take action, identify where the data are coming from, and shut down its transmission.

Prevent People Problems

The final step in every successful payment card security program is educating the organization. Employees must be familiar with the why’s and the how’s of protecting payment information. Kassoumeh stresses that meeting PCI guidelines without educating employees has little impact on cybersecurity.

He explains, “Just saying we have to do PCI, doesn’t work. People won’t understand why you are doing it.”

He recommends classifying company data and assigning it risk ratings, then communicating these ratings to employees so they know the classification of the information they work with and the level of care required to keep it secure. Only those employees with access to specific data classes should have the means to access the information.

Thorough education also helps companies ante up the funds to secure their data networks. This knowledge makes it easier for information technology professionals to show executives why there must be an adequate budget for PCI compliance. “It becomes a frictionless conversation because the entire team is unified,” he says.

Supply Chain Cyber Security

While most cybersecurity experts know the security posture within the four walls of their own organization, they often lack knowledge of their vendors, third-party partners or supply chain partners’ security systems.

To gauge the security of their business partners, many companies employ a pen-and-paper questionnaire that asks things like: Do you have anti-virus software? Do you have firewalls? Do you train employees on security awareness? “All of these things are important questions to ask, but it’s hard to validate that information because you don’t have insight into your partner’s security,” states Sam Kassoumeh, cofounder of Security Scorecard.

He explains traditional security tests are intensive and invasive because they simulate a hacker attack. “Companies can run them on their own networks but they can’t run it on their partner’s infrastructure,” he says.

Kassoumeh, who has led security compliance teams in the automotive, manufacturing retail, technology and payment card industries, formed Security Scorecard, a company that assesses an organization’s security risk and security hygiene, to solve this problem.

Security Scorecard noninvasively and nonintrusively assesses a company’s cybersecurity platform. The company uses proprietary sensors to crawl the Internet looking for cybersecurity risks. Some can be very easy to identify, such as a leaked password belonging to an employee or employees tweeting negative things about the company they work for. Security Scorecard also identifies more sophisticated vulnerabilities by reverse engineering malware and building servers to see if malicious actors are attacking a company’s networks.

“We look at website security, network security, employee security awareness and education, and we tap into thousands of sources on the Internet for this data,” he says. The compilation of their efforts is a security rating, much like a credit score, for the companies they scrutinize. Security Scorecard shares this rating with subscribers hoping to learn more about the cybersecurity practices of their business partners.