Layering security means using more than one technology to detect or foil data theft, but it also includes using sound business practices to stop criminals short.
“The bad guys are very smart. They do their homework, and they’ve proven pretty adept at getting around any one type of solution,” says Julie Conroy, research director for Boston-based Aite Group’s Retail Banking Practice.
To defend themselves, merchants should layer multiple security measures. If one measure fails to deter a crook, another might succeed, industry experts suggest. ISOs can help merchants by explaining the importance of layering, but that’s an ongoing and sometimes difficult task.
Layering, also referred to as defense-in-depth, includes measures that, used together, reduce the criminals’ chances more than any measure can when used alone.
“The underlying belief is that any computer network can be hacked,” says Doug Buan, director of risk management at Wind River Financial, an ISO based in Madison, Wisc. “It’s best to layer your defenses so that hackers decide your network is too difficult and they go elsewhere.”
Buan likens layering to deploying guards throughout a prison instead of stationing just one at the front door.
A merchant might layer security by using both data encryption and tokenization, says Conroy. Data encryption secures data as it’s transmitted along the chain from merchant to issuer. Tokenization replaces sensitive data, such as card numbers, with a substitute set of characters that are useless without a reference database.
Layers go beyond technology, though, Conroy says. They include business practices, such as ensuring that security is checked whenever systems change. One large data breach occurred because the processor had not re-checked security after introducing products, she says.
Every possible point of failure in a system should have at least one security control that prevents unauthorized access and another that detects such attempts, says Paul Coppinger, president of Apriva POS of Scottsdale, Ariz.
Prevention controls include payments terminals that require supervisor credentials for some functions, have a certain amount of complexity and be changed periodically.
Detection controls include payment terminals that generate reports on all returns, in case a supervisor is abusing his authority, and software creating alerts anytime someone tries to log in to a protected system.
Buan has found that some merchants, especially small ones, don’t understand the importance of layered security measures.
“Smaller merchants can take more persuading, despite industry statistics telling us that approximately 90% of current breaches are to smaller merchants,” he says. “The common theme we hear is that they just want to focus on running their businesses and don’t want to worry about security.”
Buan sympathizes with the merchants’ position, but emphasizes that transmitting sensitive payment data comes with responsibilities. The Payment Card Industry Data Security Standard calls for layers throughout a merchant’s organization, but Buan notes that merchants don’t always see the value in complying with PCI.
“We often get more traction if we position it as addressing a risk to their business as opposed to just compliance,” he says.
In fact, some businesses fail because of data compromises and all the attendant costs, such as mandated forensic exams and fines from the payment card brands, damaged reputation and civil actions from customers whose data has been compromised, he says.
ISOs can help merchants understand and improve data security, says Conroy.
“As small merchants are starting with this, they really should be leaning on their ISO and their acquirer because we’re never going to turn small merchants into data security experts,” Conroy says.
However, Buan notes that merchants are responsible for complying with PCI.
“Merchants have to do it themselves,” he says, “But we can give them clarifications, we can answer questions and we can even walk them through it -- but we can’t do it for them.”
Offering an analogy, Buan compared data security with airliner safety. The airlines can’t force passengers to watchasafety demonstration. The public doesn’t want that information until it’s too late.
Still ISOs and their merchants can all benefit from security, says Conroy.
“The ISOs and the acquirers do have a lot of products and tools that can help merchants remove things from PCI scope, that can help merchants protect the data when it is at rest, can help them get the data out of their system altogether,” she says. “That’s a win-win because it not only alleviates the risk but also removes that data from PCI scope, which can make merchants’ PCI process much cheaper.”
An expanded version of this article is scheduled to appear in the March edition of ISO&Agent and on ISOandAgent.com.