Is Your Organization Merely PCI-Compliant or Is It Actually Secure?
The Host Identity Protocol might be the answer to inadequate check-the-box security standards.
Can you hear the clock ticking? It's the countdown to June 30, 2018, the deadline for all merchants to migrate their payment card-related operations to comply with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS v 3.2). But what does that really mean?
Does it mean consumers will be able to hand out their credit cards to every food truck, t-shirt vendor, and street musician across the world and expect complete security?
Does it mean that hackers, bad actors, and all other cybercriminals will be rendered useless and forced to change from a life of cybercrime into a new life of altruistic intent?
Does it mean that the news broadcasts won't be inundated with stories of massive data breaches from retailers and government organizations?
The answer to all those questions is no, not really … actually, not at all. The most recent data security standard for credit card payment systems merely ensures compliance but not necessarily security. In fact, industry compliance and actual security are very different things. This isn't acceptable — the world must strive for compliance and security.
Compliant but Still Vulnerable
Although ensuring that all payment card systems are up to standard is a step in the right direction, it's not foolproof. Consider these recent incidents of PCI-compliant entities that were still breached:
Entity | Year of Attack | Method of Attack |
---|---|---|
Verifone | 2017 | Malware |
AT&T | 2017 | Phishing |
2016 | Phishing | |
Yahoo | 2016 | XSS cookies stealing and hijacking |
Oracle | 2016 | Malware |
Experian | 2015 | Broken encryption |
As you can see, attacks are still effective at striking PCI-compliant entities. Better security is still needed to prevent intrusions into your organization's credit card information. Compliance standards usually mean just checking off the right boxes on a self-assessment checklist and periodically sending in screenshots of random encrypted values to "validate" those responses.
If only security were that easy. People with malicious intent want to expose any loophole within your system, regardless of PCI compliance. Realistically, compliance means only that your systems are updated to a level deemed as acceptable by the given standard. But cybercriminals are operating far past the level of acceptable or standard. They only have to find one weak link in a chain of otherwise acceptable practices. Your payment card systems may look good to the "standard" observer, but the advanced hacker may see numerous opportunities for access, and it takes only one.
The Problem with Address-Defined Networking
The problem stems from the way we've been networking our devices ever since the 1970s. Unfortunately, traditional, address-defined networking can achieve total compliance while continuing to be irresponsibly susceptible to many critical security issues. The weak link lies within its architecture, where an IP address serves as both a machine's location and its identity.
IP addresses are vulnerable to attack because they are "spoofable." That is, a hacker can gain access to your PCI systems by pretending to come from a valid IP address. It's akin to the virtual version of identity theft. Once they gain this unauthorized access, they're free to roam around your networked system, where they can steal credit card information from your customers. IT security stakeholders must think about how to overcome the vulnerability of the IP address with something "unspoofable." It’s also no secret that IP change management is an ongoing headache and prone to error.
HIP Technology Offers Compliance and Security
So, how do you increase your network's security to truly safeguard valuable credit card information, personal identifiable information, and other critical data? This where the Host Identity Protocol (HIP) technology, recently ratified by the IETF, comes into play. HIP gives you the ability to supply a trusted cryptographic identity (CryptoID) to every endpoint, which provides unprecedented capabilities in the world of networking. Not only can you make trusted endpoints invisible to the plethora of people with bad intentions, but you can also easily segment an individual device to create a perimeter of one. Centralized orchestration of CyrptoIDs is what makes it all possible and simple.
If you consider that address-defined networking has served as the foundation of communication for numerous decades now, that’s a big achievement. Not many technologies last that long and remain effective. The time has come for HIP-based communications to provide a more secure and compliant solution as we move to a world where connectivity and online commerce have no boundaries.
E-commerce lets us conduct credit card transactions from New Zealand to New England, but freely floating those transactions into cyberspace with recognition of mere compliance — not actual security — is like sending hard cash as a Christmas gift via snail mail. Is it within the compliant boundaries of federal law? Yes. Is it wise or secure to do so? Absolutely not.
HIP-based technology can be implemented across any network — legacy or state-of-the-art — as part of an identity-based solution to provide instant cloaking, local and wide area micro-segmentation, machine authentication and authorization, and end-to-end encryption.
A Cost Comparison
One of the biggest headaches we face regarding PCI compliance is the cost involved. Internal personnel usually need to be dedicated for a period of three to four months to address the requirements. Outside consultants also need to be hired for that timeframe, adding significant costs. Lastly, penetration testing must be performed to ensure total compliance. The cost of such a task for a typical medium-sized company amounts to an average of around $441,000, according to Marcum LLP, an independent public accounting and advisory services firms. By switching to an identity-based solution with HIP-based technology, the average cost of PCI compliance for a medium-sized company is reduced to $337,500, which is a conservative estimate, yet translates to significant cost savings.
Three Reasons to Adopt HIP-based Technology
Compliance, security, and cost-effectiveness are all valid reasons to adopt HIP-based technology going forward as a way to achieve both PCI-compliance andsecurity. Consider the following three advantages:
Easy compliance by the PCI DSS v 3.2 deadline
State-of-the-art security and control across all endpoints of your network
Cost-effectiveness will be achieved in a number of ways:
Costly, brand-tarnishing data breaches and successful hacks of your payment card systems will be virtually eliminated.
Significant reduction of skilled IT staff required to ensure PCI compliance, as well as maintaining compliance
Yes, you can do something about the bad actors in cyberspace. Compliance and security don't need to be separated. Security-conscious organizations should and can have both.
Related Content:
Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.
About the Author
You May Also Like