Information Security from the ISO/MLS/Merchant perspective

Lessons we can learn from BJ's, Card Systems, and CartManager Raj Goel, CISSP, CTO Brainlink International, Inc.

Approximately 45 Million identities, or 20% of the US Adult population has potentially been compromised in the first half of 2005 – and the trend shows no sign of stopping.

Why does this matter to the ISO/MLS? Simple – first of all, we're all consumers, and some of us may be part of the exposed or compromised population. More importantly, each of these breaches has the potential to affect our revenues, profitability and threatens the very survival of our businesses.

Wired.com had an excellent summary of 'dataspills' (June XXX, 2005, Wired.com) – lost, stolen or compromised identities. We've updated it to reflect the Card Systems breach in June 2005.

The CardSystems Solutions breach has already resulted in a class-action lawsuit against CardSystems, Visa, MasterCard and Merrick Bank, of Utah. What's interesting about this lawsuit, is that the case was filed in California, by a California law firm, representing California plaintiffs against financial firms in Arizona, California, New York & Utah. This means, ISO/MLS's across the country face risk of litigation in the event of a security breach.

The CardSystems lawsuit presents some interesting arguments, including “charges that MasterCard, Visa anMerrick Bank knew or should have known that CardSystems failed security audits and did not comply with credit card industry security standards.” (News.com, July 7, 2005). It is uncertain whether the plaintiffs will prevail or not, however, this case could establish legal precedent for the PCI standards. In any case, this clearly puts all ISO's, MLS's and merchants on notice that PCI standards should be followed.

A risk that most businesses (ISO, MLS, Merchants and processors face) is collecting and storing unnecessary data. As reported in a June 20, 2005 New York Times article,

The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records.

The official, John M. Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

"We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."

In our experience, most businesses store unnecessary data, or collect far more data than is necessary.

The author recognizes that the majority of the audience does not consist of credit card processors. Therefore, we humbly submit the case of BJ's Wholesale Club. As reported in the June 17^th, 2005 issue of GreenSheets:

The FTC charged that BJ's engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ's:

• Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's stores;

• Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;

• Stored the information in files that could be accessed using commonly known default user IDs and passwords;

• Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and

• Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

After the fraud was discovered, banks cancelled and re-issued thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards. Since then, banks and credit unions have filed lawsuits against BJ's and pursued bank procedures seeking the return millions of dollars in fraudulent purchases and operating expenses. According to BJ's SEC filings, as of May 2005, the amount of outstanding claims was approximately $13 million.

The FTC alleges that BJ's failure to secure customers' sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires BJ's to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires BJ's to obtain an audit from a qualified, independent, third-party professional that its security program meets the standards of the order, and to comply with standard book keeping and record keeping provisions.

A final example worth remembering involves Vision I Properties, LLC DBA CartManager International, an outsourced provider of ecommerce & shopping cart servuces, which recently settled with the FTC regarding charges that it “rented” personal information about merchants' customers, in violation of it's privacy policies. As an ISO/MLS, are you aware of your merchants' privacy policies? Do they rent outsourced ecommerce solutions? Do their privacy policies (or lack thereof), put your business at risk?

It is important to recognize that merchants do not exist in a vacuum, and credit card acceptance is just one component of a successful business. Depending on the nature of the business, other risks must be managed as well. For example, health care institutions (hospitals, medical clinics, doctors' offices, diagnostic labs, etc.) must adhere to HIPAA privacy and security regulations as well.

Businesses from Real Estate agencies to automobile dealerships to money transfer agencies to certain types of ecommerce applications may face Gramm-Leach-Bliley (GLBA) compliance as well.

Following the PayMaxx, Choicepoint, LexisNexis breaches, several states have proposed legislation regarding information collection, ID Theft and customer privacy issues. As these state (or federal) laws come into effect, it will become even more important that ISO's, MLS's and merchants engage in a comprehensive, organization-wide security auditing and compliance program.