Is Your Payment Card Data Secure Enough?

Transcription

1 January 2018 Is Your Payment Card Data Secure Enough? 2018 KUBRA

2 Is Your Payment Card Data Secure Enough? Payment Security Matters In 2007, TJX Companies (which includes TJ Maxx, HomeSense, and Marshalls) verified that 45.6 million credit and debit card numbers were stolen over a period of 18 months before the company was able to detect and stop the breach. In 2014, The Home Depot experienced one of the worst retail data breaches of all time, resulting in 56 million stolen customer credit and debit card numbers and a $19.5 million data breach settlement. In 2015, the United States Office of Personnel Management (OPM) announced that hackers stole the personal files of over 4 million former and current government employees, as well as the security clearance background investigations of millions more. 1 The shocking truth is these data breaches could have been limited or avoided altogether had these organizations complied with the Payment Card Industry Data Security Standard (PCI DSS). Of all the companies investigated by the Verizon Enterprise forensics team over the last 10 years following a breach, not one was found to have been fully PCI DSS compliant at the time of the breach. With the acceptance of payment data, organizations must be prepared to address the risks of becoming a target for cyberattacks and data breaches. A 2016 study conducted by the Ponemon Institute revealed that the average cost of a data security breach for U.S. merchants is in excess of four million dollars. 2 Large and complex processes for storing, processing, transmitting, and accessing cardholder data present a more difficult environment to attain and maintain compliance. That is why utilities and government entities are looking to third parties to implement processes like tokenization to limit the size of their compliance task and reduce their PCI DSS scope. The average cost of a data security breach for U.S. merchants is in excess of four million dollars. Tokenization: Stateful vs. Stateless Tokenization is a process that replaces sensitive account data and identifying information such as Primary Account Numbers (PAN) with a unique substitute value or token, making it less vulnerable to a security compromise. Implementing tokenization reduces PCI DSS scope by eliminating the need to store cardholder data. The random tokens used are not considered to be cardholder data and therefore are removed from the scope of PCI DSS audits. There are two types of tokenization solutions: conventional tokenization and secure stateless tokenization. In conventional tokenization, a database is typically used to index and assign a random token to a PAN. This system is considered to be stateful because the tokens are always in one of two states: in-use or not-in-use.

3 While conventional tokenization does enhance the security of payment data, the state of the system requires constant back-ups or replication to avoid data loss and maintain integrity. This is difficult to accomplish, since replication is not instant and can lead to a tokenization vault becoming out of sync, resulting in problematic collisions (multiple tokens issued for the same PAN). Secure stateless tokenization (SST) also replaces sensitive cardholder information with tokens, but it differs from conventional tokenization technology by eliminating the need for a database to index the random tokens. Instead, SST uses static, pre-generated tables containing random token numbers. Every PAN is assigned a token for the life of the table, thus creating an environment that does not change states, and considered to be stateless. It is common for organizations to work with third-party providers to manage their tokenization solutions. With 25 years of experience providing billing and payment solutions to utilities throughout North America, KUBRA understands that tokenization is about more than PCI compliance - it is a strategic business decision. Every KUBRA payment instance is backed by SST technology to provide the highest level of security when accepting payments. Conventional Tokenization Requires a token vault, which adds to the PCI audit scope. Secure Stateless Tokenization Does not require a token vault, reducing PCI audit scope. Unproven, probably insecure token generation method. Improved security with randomly generated tables. Requires database administrator skills to handle complex replication and recovery scenarios driven by database growth and PAN/token mappings. Reduces need for database administrator skills since databases do not grow and old PAN/token mappings do not need to be purged over time. Variable one-to-one correspondence between card number and token. Two tokens are sometimes generated for the same card number. Replication and backup issues can result in failures or inaccuracies in applications. Lack of consistency in PAN/token mappings. Always a one-to-one correspondence between PAN and token. Two tokens never exist for one PAN. No replication and backup issues. 100% consistency in the PAN/token mappings provided by all servers in all data centers. Key rollover (changing the encryption key that protects the random number tables) in the token vault is typically a lengthy, resource-intensive, manual process. Key rollover (changing the encryption key that protects the random number tables) takes minutes.

4 The State of Data Breaches Today When you read the headlines, it seems as though only retailers and entertainment companies are victims of data breaches, but organizations of all kinds are affected. In November 2017, a Vancouver-based payment technology provider suspended their payment operations due to the discovery of security vulnerabilities and issues with their security program. This left the provider s utility clients and their end customers searching for alternative payment options indefinitely. Between January and June 2017, more than 1.9 billion data records were compromised, and less than five percent of the breaches were Secure Breaches, where encryption rendered the stolen data useless. 3 Of those breaches, 88 percent took place in North America, with 781 out of 808 incidents occurring in the United States. 3 It is important to recognize that not all payment security solutions and infrastructures are created equal. In an age where 19,280 data records are stolen or lost in the time it takes you to brush your teeth, security should be taken very seriously, especially when it comes to payment solutions. 4 When you work with a third-party company that employs secure stateless tokenization technology, you re receiving a next-generation highperformance solution designed by cryptographic experts and approved by third-party Qualified Security Assessors (QSA). As you look to optimize your billing and payment solutions for maximum security and PCI audit scope reduction, connect with a company that puts the protection of your organization and the customers you serve first. storage.pardot.com/51442/176077/breach_level_index_infographic_h1_2017_gemalto_inforgraphic.jpg

5 Sources 1. Go Anywhere. 3 Data Breaches That May Have Been Avoided through PCI DSS Compliance. February Ponemon Institute Ponemon Institute Cost of a Data Breach Study. 3. Gemalto. The Reality of Data Breaches. September IT Security Central. How Often Do Data Breaches Occur E Rio Salado Parkway, Suite 535 Tempe, AZ sales@kubra.com