Gartner's Litan on Global Payments BreachIncident Reinforces Gap Between PCI Compliance and Security
Details surrounding the Global Payments breach remain fuzzy, raising questions among security practitioners about how the payments industry can and should improve steps to mitigate card-fraud risks.
For one, it appears Global Payments had an event management system, one that allowed the payments processor to detect the intrusion, even if it was two to three weeks after the breach was suspected of occurring.
But the technology needs to go further.
"That's good they can detect a breach, but it would be better if they could detect it as it is occurring, in real-time," Litan says in an interview with BankInfoSecurity's Tracy Kitten (transcript below).
"I think we will see a big advancement in security systems over the next few years where we can crunch that data in real time and block the bad guys from coming in," instead of seeing that they came in but that they had gotten away with sensitive data, Litan says.
It's just a matter of computing-power getting more expansive, she says, which is a trend the industry is already sees.During this interview, Litan discusses:
- What we currently know about the Global Payments breach;
- Breach impact on financial institutions and merchants;
- How this incident can serve as a catalyst for improving card-fraud prevention.
Litan has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.
Global Payments Breach
TRACY KITTEN: The breach of Global Payments came to light on March 30, but quite a bit of new information has surfaced since that time. What can you tell us about this breach, based on the information we have so far?
AVIVAH LITAN: The information we have so far came officially from Global Payments this morning on a call they did with industry press and other investment analysts, and they made a big point of saying that there was no merchant involved, no merchant system involved. So that's a little different than the information that others have been talking about, which is credible - that there was a New York City taxi company involved. I don't know how those two link. The other big question - and there's a question and not an answer - was, "Why did Global Payments wait until Friday to disclose their breach?" Why did it have to come out this way if they self-reported it a few weeks ago in early March? So it's still a lot more questions I think than answers.
Breach Notification for Processors
KITTEN: That's a good point that you raised about the breach notification. Global Payments on the call was adamant and kept reiterating the fact that it actually was the one that discovered the breach and notified MasterCard and Visa right away. What obligation would a processor have to notify the public, or is just notifying the card networks enough?
LITAN: I think that's the big question. There's not a lot of transparency here. Presumably, under the rules of Visa and MasterCard, which I have not been given a copy of and it's hard to get a copy of those rules, the processors and other entities that do business with them are obligated to report compromises, but that does not mean they have to report it to the public. I think the public disclosure is guided by state disclosure laws, so none of this would have probably come to light had it not been first reported in Krebs on Security. It's unfortunate that's the way it came about and it's also unfortunate that it's not very clear what's going on. The language that was used by Global Payments is very different than language we've seen before. They talked about 1.5 million records exported. Usually, what you here is how many were potentially compromised, so it's just different.
KITTEN: I would like to go back and talk about the link that you drew earlier and that was the link to some of these transactions that were conducted with the New York City taxi company. What can you tell me about some of those transactions based on what you're hearing in the industry, and do you think that those transactions could possibly point to the breach of a different processor entirely?
LITAN: I really don't know. I know that there was activity discovered that was linked to a New York City taxi company. It may not have been a very large breach, but there was definitely activity linked to that point of entry. It's also a fact that Global Payments does a lot of processing through taxis in New York, but I'm not sure how the two link together. I really wouldn't even want to guess at this point, and I never have wanted to guess. What I was told about and what I've been hearing about - and I think it's common knowledge in the merchant and processor community - was a breach in the New York area and then there are other reports about the Global Payments system so, what's confirmed to be linked is what Visa put an alert out on. But the link with the New York City taxi company, I really don't know. It's not my job to really find out. I'm to talk about the solutions to stop the fraud from happening.
KITTEN: That's something else that was mentioned by some other sources, that the dates for some of these breaches didn't quite jibe, but again I guess until more information comes to light we really can't connect all of the dots.
KITTEN: It's probably also difficult at this particular time to talk about exactly how the breach may have occurred, though Global Payments is still investigating some of this. But what does this breach tell us about PCI compliance or the lack there of?
LITAN: Well, this is the third payment processor that has been PCI compliant and then breached. So if you ask card companies and the PCI Council, they'll say, "Well, they weren't PCI compliant. They may have been PCI compliant at the time of the audit, but not at the time of the breach." So what this tells us is that either we have to have PCI compliance done every second of the day, maybe in an automated fashion which is highly unlikely and impractical, or that the assessors just aren't catching everything, or that it really doesn't mean that much. I'm not exactly sure, but all I know is this is the third large payment processor to get breached at the time they were PCI compliant, so what we like to tell our clients is, "Worry about security first and PCI compliance second because PCI compliance does not equal security. The security usually will make you PCI compliant."
KITTEN: What does this tell us, from a more positive perspective, about some of the detection technologies that payments processors like Global Payments are investing in?
LITAN: It sounds like they had an event management system that picked up the intrusion. It needs to go a step further to block it in its tracks. So, some of the problems with the security monitoring systems is their batch in nature. They collect events and logs from throughout the system, so that's good they can detect a breach, but it would be better if they could detect it as it was occurring in real time. The same thing happened, remember, with RSA Security. They saw the breach of their SecurID system, but they were unable to block it in real time. Now with the advent of new big data computing techniques where you can calculate and massage data in memory at very high speeds with new open architectures, I think we will see a big advancement in security systems over the next few years where we can crunch that data in real time and block the bad guys from coming in, not letting them come in and then seeing, "Oh, you stole some data." I think that it's a matter of just the computing power getting much more expansive and much more capable, and now we can do a lot more that we couldn't do a few years ago. So, it's nice that they saw the breach. It would have been even better if they stopped it.
KITTEN: Before we close, what advice can you offer to card issuing institutions which are seeing fraudulent transactions hitting their account holders now?
LITAN: Well, most of the card issuing institutions are very advanced in picking out the fraud so now that they know where the point of compromise is, I would imagine Visa and MasterCard have given them a list of potentially compromised numbers. So I think they're in good shape. They can put those card numbers in their hot file and have extra alerting or extra watching of those transactions, and they've already got the fraud detection and preventive systems in place. The card issuing banks are in good shape. The people who aren't in good shape are the retailers - the online retailers - because they don't get access to that information on which cards were compromised, but they still have to look for fraud in the case of e-commerce and card-not-present transactions. It would be good for them if they could get a list of those compromised numbers also.