Breach Hearings: How Did Security Fail?Testimony Before Congress Reveals Encryption Gaps
Encryption gaps in retail payment card transactions were highlighted at a U.S. House hearing Feb. 5 called that examined security in the aftermath of malware attacks against point-of-sale systems at Target Corp. and Neiman Marcus.
See Also: Creating a Culture of Security
At the hearing of the Energy & Commerce Committee's Subcommittee for Commerce, Manufacturing and Trade, executives from Target and Neiman Marcus testified that their breaches occurred when data from the magnetic stripes on credit and debit cards was collected in the clear at the point of sale before being encrypted as payment transactions were processed.
"Mag-stripe data was compromised prior to encryption within our system," John Mulligan, Target's executive vice president and CFO, testified. "Data comes into the point-of-sale systems from the mag-stripe unencrypted."
Michael Kingston, senior vice president and CIO at Neiman Marcus, described the same scenario. "The information was scraped immediately following the swipe - milliseconds before sent through encrypted tunnels for processing," he testified.
Data in Clear Raises Concerns
Why card data is at any point during the transaction potentially visible to fraudsters is perplexing, said Rep. Marsha Blackburn, R-Tenn. Even if companies are adhering to mandated industry security practices, such as compliance with the Payment Card Industry Data Security Standard, they can still be breached, she noted.
"There is a difference between compliance and being secure," Blackburn said. In many of the breaches the retail industry has suffered, the affected companies were allegedly PCI-DSS compliant at the time they exposed sensitive data, she added.
Encryption experts say true end-to-end encryption - which would mean card data is never exposed in the clear during a POS transaction - does not yet exist. And end-to-end encryption is not mandated by PCI-DSS, notes Troy Leach, chief technology officer of the PCI Security Standards Council.
"Encryption at the point of sale is not required by PCI-DSS, nor is it required that internal transmissions, within a merchant's own network, are encrypted," Leach says. "It only needs to be encrypted when stored within a merchant network and when transmitted over a public network."
But Leach would not comment about how card data may have been exposed in the Target and Neiman Marcus breaches.
In a recent interview with Information Security Media Group, Bob Russo, general manager of the PCI Security Standards Council, noted that the council has no plans to change or update its just issued update to PCI-DSS, which took effect in January. Russo says version 3.0 of PCI-DSS addresses point-of-sale malware risks as well as processor and third-party vulnerabilities. Issuing an update or addendum to the standard would be redundant and unnecessary, he contends.
Gaps with EMV?
Even a shift from magnetic stripe cards to chip cards that are in conformance with the Europay, MasterCard, Visa standard won't eliminate the possibility of data being exposed at the point of sale, contends Al Pascual, a financial fraud expert and analyst with consultancy Javelin Strategy & Research.
"While card data is secure on an [encrypted] EMV card, it is transmitted in clear text once it has been accessed by the terminal," Pascual says. "End-to-end encryption would involve encrypting the card data at the terminal, and from there all the way through to the issuer. We don't live in a world with true end-to-end encryption, but P2PE [point-to-point encryption] has become an accepted, though less effective, alternative. It simply refers to encrypting card data between two points, typically from the merchant to the processor."
During Senate hearings held Feb. 3 and Feb. 4, much of the attention revolved around the need for stronger payments technology, such as EMV chip and PIN, and a more uniform breach notification process mandated by the federal government (see Finger-Pointing at Breach Hearing and Target, Neiman Marcus Differ on EMV).
Target's Mulligan testified Feb. 4 that a shift from mag-stripe cards to EMV could reduce card exposure, because data stored on an EMV chip is encrypted, while data stored on a mag-stripe is not.
But it's not just data on cards that must be protected, which is why EMV alone will not prevent card data from being breached at the POS, Leach says (see Chip and PIN Not a Cure-All).
"For point-to-point encryption, the data is encrypted either at swipe or within the secure controller of the device, before transmission into the entity's network and before transmission to the processor," Leach says. "While EMV encrypts elements of EMV data to protect the authentication of the transaction, a very important point is that it does not encrypt the account data - not for transmission to the processor or for storage within a merchant's network. This means the PAN [primary account number] is in clear text."
During the Feb. 4 Senate hearing, Leach testified that only end-to-end encryption would ensure card data is never accessible in the clear. "EMV is only one piece. Additional controls are needed," he said.
Phillip Smith, senior vice president at Trustwave, a cybersecurity and retail breach response firm, testified at the Feb. 5 House hearing that businesses must go beyond PCI to ensure security. "A common misconception is that PCI was designed to be a catch-all for security," Smith said.
Retailers and others need to employ stronger incident response plans, more security for Web applications and gateways to protect networks from malware attacks, zero-day vulnerabilities and data loss, Smith said.