Friday, November 30, 2007

Got advertisement? Maybe you should shout your PCI compliance from the rooftops!

Will advertising the fact that you are PCI compliant make you more of a target? I don’t believe so.

Here’s why. It’s no longer the proverbial pimply-faced kid who is hacking into the company. It is organized crime that is doing so. And what do these guys want? Money, pure and simple - and from sensitive information such as cardholder data. They are not here for the glory and peer recognition from other hackers, by breaking into a trophy account. In fact, if you advertise the fact you are PCI compliant, I think it will deter them from attacking you - you don’t store swipe or card data anywhere (or the data is encrypted). Why should they even bother when there are multiple, easier, juicier targets just another click away?

In addition, as consumers become more aware of stolen cards, they will care more about breaches and the impact it could have on them personally. The recent survey we did seems to vaildate this. Do consumers care if you are keeping their data safe? In the long term, absolutely. They will start to take notice and bring their business to companies who can promise and deliver a higher degree of security.

So go ahead, proudly proclaim your resolve to secure your customer data as it if were your own. And brandish your PCI compliance as a badge of honor.

Wednesday, November 28, 2007

New survey: Consumers plan to sharply limit use of cards (AKA, have we awakened a sleeping giant?)

We have heard it all over – customers do not seem to be concerned about retailers mismanaging their data. They still spend money in those stores. It does not impact retailer revenue or stock price. So, let us not worry about it too much.
Wrong. I believe it is just a matter of time before consumers understand the issue and become intolerant of sloppy data protection. And maybe that time has come. The recent story on “60 Minutes” is shining a light on the issue and is an indicator of rising consumer awareness.
Coincidently, we at BitArmor, in partnership with several local TV news departments, conducted a survey over the Black Friday weekend (400 respondents) on this very issue. The results are significant, if not surprising:
· Three out of four consumers are concerned about companies not adequately protecting their data;
· Two-thirds of consumers plan to use their credit card for less than 25% of their holiday purchases;
· Only around 2% say they will continue shopping at a retailer they have heard does not do a good job of protecting data;
· More than 40% have had their identity stolen or know of someone who has;
· 75% of respondents say they would warn friends and family if they knew a store where they shopped wasn’t adequately protecting their data, 33% would sign up for credit monitoring and around 70% say they would be more careful while using their cards.
This should serve as a huge wakeup call to any company that works with sensitive payment card data; their customers are seeing what’s going on, and they don’t like it. Shoppers are increasingly concerned about what’s happening to their data. It’s reflected in fewer people using their credit cards, and it’s reflected in them saying they’ll shop at other stores if they don’t feel their personal information is being adequately protected. It seems we have awakened a sleeping giant…consumers who are spreading the word among friends and families about whom they consider to be are “poor” retailers (from the data protection point of view).
I’ve talked with some analysts who reject the notion that things will ever change. They say that consumers talk a good game, but don’t change their actual buying habits. Perhaps…but when “60 Minutes” starts referring to TJX by name, and calling its security efforts “outdated” and “obsolete,” I have to believe that a lot of shoppers will think twice before using their credit cards there right away. (And apparently Michael Horowitz at CNET agrees with me.)
All this points to the importance of securing customer data and making sure the right policies are in place. Is that enough? Maybe, but to increase customer confidence in a retailer, they will have to work just as hard in protecting their brand and increasing perception of trust.

Monday, November 26, 2007

Got Sopranos? Yet another thing I did not know as much about

The recent trip to the RSR conference gave me another nugget (from Mike Dahn of the Aegenis group) that I knew peripherally about, but did not understand to its full extent. One of the common misconceptions about breaches is that most are the handiwork of some lonely, Mountain Dew guzzling teenager – bored of playing video games and looking for some real kicks. Well, there are some of those no doubt, but it seems that hacking has become the new organized crime. It may not be as widely known as drug cartels or the arms dealers, but information is becoming the new “dust.”
Credit card numbers, card swipe data, etc., are selling for a prince’s ransom in the marketplace. You saw this recently on 60 minutes. There are websites that provide you with specific cards such as “Visa Gold” and you can bid on them! You shut one down and another pops up in its stead. Some of these are run eBay-style with members providing ratings on the “trustworthiness” of the seller! There is every reason to believe that terrorist organizations are using these methods to finance their nefarious goals.
The point to note here is this : there is a lot of money at stake. This makes cardholder data a target in this illegal and very organized crime business. For companies handling cardholder data, being fully PCI compliant in spirit and letter is the best way to foil this.
There still will be breaches, but let’s at least make the risk/reward and amount of work/reward ratios skewed enough to make it not worth their while.

Sunday, November 25, 2007

Got Milk? Stuff I did not know about data protection and privacy

I was at the RSR-sponsored data security conference at Las Vegas recently (where Patrick, our CEO, presented on the importance of a data-centric view on protecting and managing data) and stumbled across a few interesting tidbits that I did now know. Here is one that came up during a conversation about consumer privacy and how aggregated data is being mined for interesting information. Similar to the famous beer-diaper correlation but interestingly different.
Apparently a grocery chain was concerned about attrition and mined data about its customers from its loyalty program to understand this trend (I hope this grocer does not keep personally identifying information and has a good security and privacy policy in place!). They were specifically looking for something that would give advance warning that a customer was about to reduce purchase frequency and maybe stop coming to the store. And what was the bottom line? Milk is the leading indicator!
The short shelf life and the ubiquity of milk dictated the purchase frequency of all grocery items in the home and thus timing of trips to the store. If the customer found milk (better, cheaper, organic, closer etc) they are more likely to purchase other items from that location as well. When customers start reducing their frequency of milk purchase, they are probably substituting from another store.
Interesting, isn't it? Milk – to stop bone loss and customer loss!

Tuesday, November 20, 2007

Who guards the guard and evolution of the hackers?

Yet another aargh.

Computerworld reports a former security researcher, John Schiefer, has admitted hijacking a quarter of a million PCs, using spyware to steal bank and PayPal account information, and making money by installing adware on the massive botnet. Mr. Schiefer could get up to 60 years in prison and faces a fine of $1.75 million; sentencing is scheduled early in December.

Great. Simply great. Who guards the guards?

In analyzing this case and trends in cybercrime, Rich Mogull claims Amrit Williams has “missed the main point” in his blog. Williams says that cybercrooks are becoming “more organized, more sophisticated, and much harder to detect with traditional security measures.” Rich says Mike Rothman is more on target, when he says that it’s not about the level of penalty, it’s simply about the matter of getting caught…which, says Mike, most hackers obviously don’t want to happen.

Rich argues for increased enforcement of laws already on the books, saying that penalties are fine, but as long as you have rules that aren’t enforced, the bad guys will continue to act with a blatant disregard for those laws.

It seems to me that they’re all touching upon the same fundamental point, but from different angles. Amrit’s "I shall be more careful and more sophisticated” actually complements and leads to Mike’s “I don't think I will be caught” perspective. Seems Darwinian, interestingly enough: The lesser hackers will become extinct as stronger ones evolve. As long as there is money to be made, I think we will see evolution.

Wednesday, November 14, 2007

PCI compliance – are you just checking the box?

I will be presenting at the RSR conference this week, and this has me thinking more deeply about challenges that retailers are facing in complying with the Payment Card Industry (PCI) standards. I speak with many retailers in my role – BitArmor helps them secure and manage cardholder data in their environments. One of the challenges that retail CISO’s face is selling senior management on the funding of PCI initiatives. Often, senior management would rather invest in opening a new store than in purchasing an encryption solution to secure their existing infrastructure. For them, PCI is viewed as a necessary evil: many retailers are simply trying to check the compliance box instead of embracing the business benefits that PCI compliance can bring.

Is there value beyond just checking the box?


PCI compliance efforts deliver significant value beyond the immediate data protection benefits. As part of becoming compliant, many retailers are being forced to rethink their systems, data paths, security models, networks, and policies. Fully addressing PCI requires solving these hard process problems, and this is an opportunity to build a strong operational base (making you competitive and agile) for the future of the company. As a result, working towards PCI compliance can increase both revenue and profit.

I see PCI (and so do many retail technologists) as today’s Y2K for retailers. Over the past 10 years, many companies have benefited from their efforts to address the Y2K bug. Y2K catalyzed massive investment in IT infrastructure that improved corporate processes and facilitated more efficient relationships with customers. The similarities between Y2K and PCI initiatives are striking. I believe the benefits will prove to be similar as well.

IT funding exists within many retailers to address PCI challenges. Retailers that take PCI compliance seriously and implement deep operational changes will reap many benefits. Those who view it as an exercise to pass an audit are missing a huge opportunity.

Wednesday, November 7, 2007

Britain mulling "random" audits to enhance data protection..

Britain's House of Lords recently issued a report on Internet security, urging the Government to examine “as a matter of urgency” that country's laws regarding standards of data protection as they apply to businesses. The report says current laws on the books don't have enough teeth; it says the government should have the authority to conduct “random audits of the security measures in place in businesses and other organisations holding personal data.”

Wow. Imagine the uproar that would erupt here in the United States, if anyone introduced legislation suggesting the government could randomly check to see if businesses are keeping their data safe. Granted, most states have laws that mandate public disclosure in the event of a data breach, and Minnesota has passed a law that makes offending businesses responsible for the cost of remediation. But these laws are designed to address post-breach actions; they don’t enable the government to check prior to any incident.

At what point, however, does the public become so fed up, so wary of doing business with companies that apparently treat data in a seemingly cavalier manner, that Congress passes such a law as recommended by the House of Lords' report?

We must police ourselves to keep secure data controlled. We must ensure that private information remains private, regardless of where it ends up…on or off the network. And we must train our people to continuously implement the policies we’ve developed; technology is a part of that equation, of course, but only part.

If we don’t, we run the risk of falling prey to those who would take advantage of us. And we run the risk of having irate lawmakers, driven by irate constituents, implement new (and onerous) rules that make it far more difficult for us to conduct business. We fail to control the data entrusted to us at our own risk.