Recently we have heard of some great successes with
international arrests of alleged perpetrators of criminal attacks on our retail
payment systems (See https://www.linkedin.com/today/post/article/20140723184327-606637-fighting-cybercrime-with-cooperation?trk=object-title for example). While coordinated arrests and
prosecutions are a minimum response, it is not sufficient to protect an
industry bleeding Regulation E payouts.
The Payment Card Industry (PCI) data security standard (DSS)
(https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf)
while presenting quaint methods to protect small businesses from hack attacks does not go
far enough to protect payer data interception from the point of sale in the
retail lane to an acquiring node or point of presence. Retailers deploy payment
system equipment known to have vulnerabilities to unsophisticated attacks within this hazardous real estate and all the standard requires is to make sure payment
equipment operates behind firewalls and owners catalog their software running
on this equipment. The DSS does have other requirements, and in some cases
mandates independent inspections, but it does not catalog the type of common attacks against the origination of payment data and makes no suggestions for defense
of the type of attacks used against specific payment environments.
I recently wrote about two methods for detecting attacks in
retail payment settings that use the relatively static memory environment of
some equipment or that recognize increased changes in response time within the
attack zone. There are thousands of
other approaches to detect an attacker presence, and yet the DSS remains mute
on the topic. When I watch the airline industry respond to accidents or criminal
attacks, I wonder why the payment industry does not attempt to prevent harm
equally as well. Yet we plan to spend billions of dollars implanting EMV, which
addresses less than half the type of attacks the payment industry experiences. What
are we, nuts!
No comments:
Post a Comment