Thursday, July 24, 2014

The Payment Services Industry’s Pathetic Response to Criminal Attacks

Recently we have heard of some great successes with international arrests of alleged perpetrators of criminal attacks on our retail payment systems (See  for example). While coordinated arrests and prosecutions are a minimum response, it is not sufficient to protect an industry bleeding Regulation E payouts.

The Payment Card Industry (PCI) data security standard (DSS) 
( while presenting quaint methods to protect  small businesses from hack attacks does not go far enough to protect payer data interception from the point of sale in the retail lane to an acquiring node or point of presence. Retailers deploy payment system equipment known to have vulnerabilities to unsophisticated attacks within this hazardous real estate and all the standard requires is to make sure payment equipment operates behind firewalls and owners catalog their software running on this equipment. The DSS does have other requirements, and in some cases mandates independent inspections, but it does not catalog the type of common attacks against the origination of payment data and makes no suggestions for defense of the type of attacks used against specific payment environments.

I recently wrote about two methods for detecting attacks in retail payment settings that use the relatively static memory environment of some equipment or that recognize increased changes in response time within the attack zone.  There are thousands of other approaches to detect an attacker presence, and yet the DSS remains mute on the topic. When I watch the airline industry respond to accidents or criminal attacks, I wonder why the payment industry does not attempt to prevent harm equally as well. Yet we plan to spend billions of dollars implanting EMV, which addresses less than half the type of attacks the payment industry experiences. What are we, nuts!

Next Blog: The three stooges

No comments:

Post a Comment