Opinion: Take no chances with card security

In the past week, merchants were hit with a double-whammy reminder of the risks of slack credit card transaction security.

From yesterday, Visa required its merchants not to store sensitive credit card data after an authorised transaction expired. Those with more than a million card transactions a year who fail to heed the warning are open to suspension of their card facilities, higher transaction costs, and fines.

And as the case against entrepreneur Nicholas Bolton proved last week, vigilance is eternal. The 27-year-old Generation Y "entrepreneur" and founder of Bottle Domains stands to lose his internet empire after a hacker's attempts to sell thousands of his customers' card details attracted the attention of the Australian domain name authority, auDA. In April, it terminated his registrar's accreditation, a decision upheld last Friday by the Supreme Court.

The challenges to merchants are tied to the teeth given to the Payment Card Industry's Data Security Standard (PCI DSS) and because the risks of storing such information are about to get much bigger.

It gathered speed last year when the Australian Law Reform Commission's recommendation that the reporting of security breaches involving personal data, including credit cards, become mandatory (at least in cases where there is potential for 'serious harm').

Mandatory reporting will mean that your business will have to start taking e-commerce security seriously. You'll have to inform your customers of breaches involving their personal information. And hackers now present a magnified risk to your reputation.

In some cases, mandatory reporting will end businesses.

For instance, Bottle's problem wasn't the security breach; it was that it reneged on its contract with auDA that required it to tell customers of the breach and the potential fraudulent use of their personal details.

What happens next in the case will create case law that affects how businesses deal with security violations.

How to avoid becoming the next Bottle
Firstly, comply with PCI DSS. Created by credit card companies such as Visa, MasterCard and American Express, it aims to ensure that businesses handle card information securely.

It specifies minimum requirements for network, access control and data handling policies and practices. By adhering to PCI DSS, your business is much less likely to be hacked.

But the standard is no guarantee. Just ask Heartland Payment Systems, one of the biggest payment processors in the US, and now an infamous example of a company that was compliant when hackers raided their systems and stole an unknown quantity of credit card numbers.

How did the hackers do it?

They exploited the biggest flaw in the standard: it allows card details to traverse internal systems unencrypted (something that's easily avoided through the use of Hardware Security Modules).

This is a problem with PCI standards: they only go so far. You can comply and still get hacked. As the PCI Security Standards Council's explanation reads, the standards are about "enhancing" data security, not guaranteeing it.

It was created by the industry in part to push the costs of securing their simple, but very popular, payment method on the businesses that use it.

The underlying problem is the card system itself. An easily-replicated, easily-copied string of numbers is simply not cut out for the online world.

Card companies should be re-investigating secure alternatives, such as PC-based chip and PIN terminals, where customers securely authorise transactions using their own computers, similar to the newer EFTPOS terminals. As an immediate enhancement the card companies could establish two-factor authentication schemes as part of their existing Verified by Visa and MasterCard SecureCode programs - perhaps piggy backing on the one-time password authentication systems already used by some Australian banks.

In the meantime, we have to secure what we've got.

PCI DSS is a good start, but to truly protect yourself and your customers, the best option is end-to-end encryption (or simply outsourcing your card processing). Under this system, a customer's details are securely encrypted as soon as they key them into their web browser. And they stay encrypted (and useless to a thief) the entire time they're with your business. They never exist in a readable, clear text format - not even when processing a payment.

Businesses complain that such systems are expensive, but with mandatory reporting on the horizon, the sums are likely to change.

It's not a panacea for e-commerce security. Dedicated hackers will look to exploit other weaknesses. But end-to-end encryption puts an end to the large scale theft of card numbers (and the large scale reputational damage that goes with it).

Unfortunately, PCI DSS encourages organisations to say to themselves, "I've had my audit and have gotten ticks in the right boxes. I'm doing it properly."

It might offer a good information security standard that organisations should adopt, but until it mandates end-to-end encryption it doesn't offer the level of protection that your business and customers need.

If you're handling credit card data or customer data of any type, don't play with fire. Make sure you're secure, not just compliant.

Steven Willoughby is a security specialist and one of Australia's foremost key management experts. He is the technical director of ICT Networks.