Achieving international acceptance of the PCI Data Security Standard is an ongoing challenge, says Jeremy King, international director of the PCI Security Standards Council, who's working to educate merchants about baseline security that goes far beyond cardholder data protection as the council prepares to mark its 10th anniversary.

"When ... you look back at the history of how [merchants have] been attacked, in the early days, the biggest problem was that organizations stored massive amounts of data," King says in an interview with Information Security Media Group (see audio player below photo). But as merchants have stored less data, attackers have become more effective at stealing data in transit. So the PCI-DSS and other PCI security standards have evolved to reflect evolving threats, he adds (see How Will PCI-DSS Evolve in Next 10 Years?)

The PCI Council's standard for point-to-point encryption, for example, has gained more international acceptance in the wake such high-profile breaches as Target and Home Depot, King says.

"We have to improve how people undertake their network security, and we are constantly trying to get people to improve their password security - that still is a problem, 10 years down the line," King says. "It's really about being aware of how the criminals are attacking."

While companies and organizations have become more effective at securing cardholder data, they've not been paying the same attention to their general customer data, King contends. "And what we've seen, certainly over here in Europe, in some of the recent breaches is that the criminals can gain so much personal information about the customer that they can ring them up, pretend to be the merchant and gain access to their bank details. So while people understand the need for protecting cardholder data, they also have to understand that we have new technology coming along and we have criminals who are better organized."

During this interview, King also discusses why:

Increasing fraud in the e-commerce, card-not-present space is still a growing worry; Tokenization will continually improve security, in spite of the implementation hurdles some merchants still must overcome; and Stronger data breach reporting regulations in Europe are helping push wider global acceptance of the need for PCI compliance.

King leads the PCI Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI-managed standards in European markets and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.

Compliance , Fraud , Payments Fraud

PCI Compliance: Not a Priority in Australia? Some Companies Choose to Risk Fines Rather Than Comply Jeremy Kirk (jeremy_kirk) • June 27, 2016    

It's easy to buy stolen credit card numbers in underground forums. The market for stolen credit card data has thrived, fueled by cybercriminals who exploit security weaknesses in the ways merchants process payment card data.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

Payment card security is a growing concern, and it's affecting companies throughout the world, not just in the U.S.

We've all heard about the massive payments breaches that have adversely affected U.S. big box retailers, including Target and Home Depot. But how are companies outside the U.S., where EMV is more widely deployed and breaches aren't as widely publicized, addressing payment card risks?

As the PCI Security Standards Council celebrates its 10th anniversary this year, our editorial team throughout the world is taking a look at PCI compliance, addressing the question: How widely adopted and effective is the PCI Data Security Standard, and will it still be a viable standard 10 years from now? (See PCI Turns 10: Will It Last Another 10 Years?.)

My colleague Tracy Kitten, executive editor at BankInfoSecurity, recently interviewed Troy Leach, chief technology officer for the PCI Security Standards Council, about the PCI-DSS's efficacy in the U.S. Here, I offer some perspective from the other side of the world, focusing on PCI compliance in Australia.

Lack of Buy-In

Despite the card brands' 12-year efforts in Australia to push businesses to adopt and maintain compliance with PCI-DSS, some large Australian companies still aren't buying in.

In Australia, experts say PCI-DSS has been largely embraced merchants processing more than 1 million transactions a year. But some of those large merchants have opted not to go through what they perceive as the headache and high cost of PCI-DSS compliance, instead taking the risk of paying steep fines that could be imposed by card brands in the wake of a breach.

"A lot of organizations look at [PCI-DSS] and say, 'The benefits don't outweigh the risks,'" says Nick Morgan, managing director of Triskele Labs, a cybersecurity consultancy in Melbourne. "It's good in that it entices companies to implement information security and cybersecurity practices. But it's so prescript around what it says and what you need to do."

The PCI-DSS recommendations are a complicated regime. Version 3.2 of the standard, released in May, runs 139 pages.

PCI-DSS compliance isn't cheap, either. Ajay Unni, CEO of Stickman , a cybersecurity consultancy based in Sydney that assesses companies for PCI compliance worldwide, says his company has worked on compliance projects that range from AU $50,000 (U.S. $37,350) to AU$10 million (U.S. $7.4 million).

"There's a huge industry out there where clients don't want to spend the money and continue to carry the risk," he says. In some cases, the cost of becoming compliant is more expensive than paying a fine, he contends. Although PCI-DSS has raised awareness about the importance of cybersecurity, companies that have embraced it still have security problems, he adds.

Evolving Security Culture

The PCI Council recognizes the complexity of maintaining compliance, and, as a result, emphasizes that card processors and merchants must be vigilant in testing systems and databases after updates or changes.

"The day you get compliant could be the same day you could go out of compliance," Unni says. "We've seen both sides, where clients struggle to get compliant, or they get compliant and they struggle to maintain compliance."

Steve Wilson, a vice president and principal analyst with Constellation Research in Sydney, says the difficulty in maintaining compliance highlights how the card payment network is fundamentally insecure.

PCI-DSS is "a very elaborate and expensive audit regime built around the fact that payment card numbers are replayable by crooks," he says. A mom-and-pop business "would rightfully expect that passing an audit really does predict that the company would be reasonably secure in between audits."

One way to solve the problem of card details being stolen and used again would be to introduce digital signing. Wilson says online payments should require that cardholder data be signed by the microchip that's embedded in EMV cards. Doing so would get around the need for PCI compliance, he contends.

"We should be making systems more robust," Wilson says. "If security breaches are inevitable, as many advisers say, then let's do something to inoculate stolen data against abuse. ... We can never know if PCI-DSS has made merchants more secure. But I am sure if we had directed the effort and resources into making systems immune against stolen credit card data, we would be better off."

Encryption , Technology

Comodo Drops 'Let's Encrypt' Trademark Applications Was Conflict Just a Miscommunication? Jeremy Kirk (jeremy_kirk) • June 27, 2016    

Comodo made no new friends last week when it claimed that a nonprofit project, Let's Encrypt, stole its business model. Now, the digital certificate giant says it will not pursue applications it filed last year aimed at securing trademarks using the phrase "Let's Encrypt." (see Let's Encrypt Clashes with Comodo Over Trademark).

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

The Let's Encrypt project gives away domain-validated secure sockets layer/transport layer security certificates. The project, which is supported by the Electronic Frontier Foundation and funded by donations from many vendors, is aimed at increasing the use of encryption by website administrators to improve security and privacy.

Josh Aas, executive director of the Internet Security Research Group, which oversees the Let's Encrypt project, went public last week with the news that Comodo had filed three trademark applications in October 2015 with the U.S. Patent and Trademark Office. Comodo sought trademarks for "Let's Encrypt," "Let's Encrypt with Comodo" and "Comodo Let's Encrypt."

Aas said Let's Encrypt had been trying since March to get Comodo to cancel its applications, but had gotten no response.

Comodo officials have not responded to queries from ISMG. But Aas says the company has now submitted "requests for express abandonment" to the USTPO to cancel the three registrations.

In a posting on Comodo's forum, Robin Alden, the company's CTO, wrote: "Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us, and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution."

Collaboration?

Collaboration might not exactly be the right word. Alden's spin on the conflict doesn't address the outpouring of animosity toward Comodo after Let's Encrypt took its case public.

Comodo was on the receiving end of scathing comments on Twitter. The company is one of the largest vendors of SSL certificates, and commentators tagged the company as a bully.

Part of the outrage was directed at Comodo CEO Melih Abdulhayoglu, who claimed that Let's Encrypt had copied its business model. Comodo gives away 90-day digital certificates that are valid for one domain for free. The offering is a teaser to get organizations to eventually purchase digital certificates.

The certificates distributed by Let's Encrypt are valid for 90 days, but for a security reason: Certificates with shorter life spans offer a variety of security benefits. Aas maintained Abdulhayoglu was conflating two completely different offerings as being similar. Let's Encrypt and Comodo are in no way competitors, he contended.

Trademark Applications to Lapse

In another post on Comodo's forums, Alden says that his company never intended to take the trademark applications further since Let's Encrypt became operational. That's a dubious explanation, as Let's Encrypt began issuing certificates as part of a beta program in September 2015, about a month before Comodo filed its trademark applications. The project launched near the end of 2014.

Alden went on to write that the applications were already in a state where they would "lapse."

The USTPO's website shows all three applications were last acted on by the agency on Feb. 8, when Comodo was sent a "non-final office action," the term the agency uses for raising a question or issue with a party's application. According to USTPO rules, Comodo has six months to respond before the applications are abandoned.

So while it's true the applications would have eventually fallen by the wayside, the Let's Encrypt project would not have known about plans to let them lapse without word from Comodo.

Let's Encrypt maintained it had asked Comodo several times since March directly and through its attorneys to abandon the applications, but the company refused. Alden contested that characterization, writing "we just hadn't told [Let's Encrypt] we would leave them to lapse."

So from Comodo's view, all of it was just a miscommunication. Aas wrote in an update on June 24: "We're happy to see this positive step toward resolution and will continue to monitor [Comodo's] requests as they make their way through the system."

Hopefully Comodo will learn an important lesson from this experience: You can beat up your commercial competitors, but if you beat up on nonprofits, be prepared for a major backlash.

Cybersecurity , Legislation , Privacy

Police After Brexit: Keep Calm and Carry On But UK Law Enforcement Agencies Face Intelligence Disruptions Mathew J. Schwartz (euroinfosec) • June 27, 2016    

Britain's exit from the EU - "Brexit" - means that U.K. law enforcement agencies, at least in the short term, will likely have a harder time taking a bite out of cybercrime as well-regarded intelligence-sharing relationships get severed and must be renegotiated (see Brexit: What's Next for Privacy, Policing, Surveillance?).

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

Britain currently works closely with the other 27 EU member states via the EU's law enforcement intelligence agency, Europol, as well as its European Cybercrime Center, or EC3. Europol has coordinated a number of operations, including those related to cybercrime gangs and disruptions, and has notched up some impressive arrests in its relatively short existence.

But it's unclear how closely Britain will be able to work with Europol or EC3 (see Brexit Referendum: 5 Cybersecurity Implications ). Ironically, both Europol and EC3 are currently led by British citizens, and it's questionable if they'd be allowed to continue in those roles once Britain exits the EU or officially signals its intention to do so.

A Europol spokesman didn't immediately respond to a request for comment.

Brian Honan, a cybersecurity adviser to Europol, as well as head of Dublin-based BH Consulting, says the degree to which U.K. law enforcement and police agencies can continue to work with Europol depends on the new treaties negotiated by Britain and the extent to which the U.K. aligns its post-EU laws with the EU General Data Protection Regulation and the EU Network Information Security Directive.

The U.K. Information Commissioner's Office, which enforces the country's data privacy and protection laws, has already called on Parliament to fully comply with the GDPR if it hopes to do business with the EU going forward.

But new treaties take time to hammer out and are subject to unexpected political turns, and in the short term, Lynne Owens, director general of the National Crime Agency - Britain's national law enforcement and police agency - has said there may be related disruptions.

"The NCA works with partners in over 150 countries because organized crime is not constrained by geographical or jurisdictional boundaries," she says in a statement. "To tackle it effectively we must be able to cooperate closely and share intelligence in an agile way. If it cannot be met through EU mechanisms we will find others."

What's unclear is if organizations such as NCA will find themselves suddenly scrambling as previous EU institutions and information flows potentially get suspended until the U.K. gets new treaties in place. "For now, ongoing operations against international crime threats continue as before," Owens says. "We will be working closely with government to understand what the implications of exit will be for us and to plan the steps we need to take with our law enforcement partners to keep people in the U.K. safe."

Britain Must Comply With Certain EU Laws

Of course, Britain should be able to negotiate new intelligence-sharing arrangements with the EU. "With relation to international cooperation against cybercrime, the close working relationships between law enforcement within the U.K. and the EU should continue to work. However, there may be implications under the EU data protection regime with regards to the sharing of certain intelligence between both parties," says Honan, who also leads Ireland's computer emergency response team.

Notably, the GDPR prohibits personal data from being transferred outside the EU unless appropriate safeguards are in place (see 'Privacy Shield' to Replace Safe Harbor).

"It is too early to determine what the impact of the Brexit will be, but hopefully, cybersecurity and data protection are topics that will be dealt with by both sides with the importance and gravity they deserve," Honan tells me.

Next Move, Britain?

Of course, that's just a microcosm of the bigger political picture. In the wake of a majority of the U.K. population voting with the "Leave" camp rather than the "Remain" one, no one seems clear about exactly what will happen next, or when. One principle Leave architect, ex-London mayor Boris Johnson - currently seen as the frontrunner for Conservative Party leadership and thus potentially the country's new prime minster later this year - says in a column in today's Telegraph newspaper there's not "any great rush" for Britain to leave, and that "there will continue to be free trade, and access to the [EU's] single market." In particular, he says the U.K. doesn't yet plan to invoke "Article 50" of the Treaty on European Union, which would give Britain up to two years to leave. Some other pro-Leave officials have also reversed earlier claims that a vote to leave was a vote to depart the single market.

But officials at EU headquarters in Brussels have said that they may invoke Article 50 June 28, thus putting more pressure on the U.K. to immediately begin related negotiations.

Once Article 50 gets invoked, "negotiations will have to take place as to how the U.K. will interact with the EU, not just on economic matters but also in areas such as cybersecurity, data protection, financial regulations, other regulatory regimes and national security," Honan says.