How NIST could change the way merchants protect card data
The National Institute of Standards and Technology is telling agencies and companies that collect or store data to change the way they have been protecting their networks — and its guidance is likely to soon spill over to financial services and payments.
NIST, which has spent more than a decade developing a series of cybersecurity tools and guidance for federal agencies and organizations, is preparing a step-by-step security process that emphasizes identifying the most critical systems and applications in a network that must not fail or be compromised.
By following these steps, companies can better determine where to invest in cybersecurity, thus making it a risk-based approach rather than an overall technology project, said Thomas Jones, federal systems engineer for the cybersecurity firm Bay Dynamics.
It is not uncommon, Jones said, to see a company dealing with personal or sensitive data to spend security money to protect software or hardware that is not even connected to the critical parts of a network.
"Private-sector companies have been fighting this battle for a while, and NIST has received information from various infrastructure groups, from nuclear power plants and homeland security to insurance companies, in trying to pinpoint the valuable assets," Jones said.
NIST's risk-based approach would be a significant philosophical change compared to how the PCI Security Standards Council has directed merchants to protect their payment and customer data, said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
"It would diverge so significantly from how PCI has managed their best practices and guidances and public-facing perspectives on these things," Pascual said. "Whenever there is a breach, merchants will say they were PCI compliant, but PCI finds a way to say they weren't, after the fact."
Over the years, PCI has essentially looked for hot spots or risk trends to adjust its guidance to account for every area of a network that connects to anything related to card data, Pascual added.
"I don't see how you reconcile the approach they have taken compared with something like NIST in which merchants would define the areas that were high risk, and apply certain rules to those areas," he said. "The merchants would be ecstatic, PCI would not."
NIST will seek more feedback before making its findings a part of what has been the NIST 800 series of cybersecurity standards and guidance.
"This should spill over to banks and payments companies over time, as the NIST 800 series eventually gets picked up by other organizations needing cybersecurity," Jones said. "We may not see the exact same use in the private industry, but we will see things reflected in this strategy."
Data security professionals have studied the advancement in connected devices as a factor that will bring more pressure to fully understand where the riskiest portions of a network exist.
A risk-based approach to securing data "makes all the sense in the world," said Shirley Inscoe, senior analyst with Boston-based Aite Group. This is especially true given all of the data breaches that have unfolded in payments through third parties, Inscoe said.
The Target Corp. breach nearly four years ago kicked off what has seemed like an endless string of data theft in the retail sector. Target's incident stemmed from providing third-party access that exposed a weakness in its network.
"Ensuring that data cannot be accessed even if perimeter protections are breached is one step in the right direction," Inscoe said of the NIST guidance.
The risk-based approach is in line with what large banks in North America are moving toward in authenticating customers, Inscoe added. "Instead of putting all customers through the same processes, they are planning to orchestrate authentication and fit the level required to the risk to a particular act or transaction the customer is originating," she said.
Specifically for payments, NIST guidance would call for a company to establish its mission as a profit-making entity, then break down the importance of the payment process in carrying out that mission, Jones said.
"All of the subcomponents and supporting systems that are tied into payments would be rated as to the overall importance of delivery of this subsystem into the overall payments network," Jones added.
That sequence of events gives an organization "a good, clear view of how important something is in their organization and where those single points of failure are," Jones said.
In many cases, NIST guidance eventually becomes a company rule, but it is mostly presented as a process to use, not a mandate.
"It may be pushed for use in health care, or may be useful in PCI compliance and security standards," Jones said. "So much information is gathered as part of the PCI process, there would be a lot of benefit in using this approach."