Having spent some years in the computer forensics industry, I can tell you that criminals today are very smart. They look for the path of least resistance, they are very determined to find the data they want, and they have the tools to accomplish the task. In recent years the credit card industry has congealed around a set of standards for credit card security, called the PCI standard (i.e., Payment Card Industry). Prior to that, each credit card company maintained their own set of standards…making it very difficult for merchants to keep up. This new standard is still evolving, yet many of the merchants are still trying to meet the bare minimum. This is a tough problem, as we have a real war going on – the criminals getting smarter about how they steal data, and the industry trying desperately to put in place standards to stop them.
The reality is that we will never be able to stop these criminals. We can slow them down, and make them work much harder to find what they are looking for, but we will not be able to stop them completely. Even now, as merchants are becoming compliant with PCI standards, they are still suffering from data breaches. Take the story of Delhaize Group, who on the same day that they received notification of compliance with PCI also received notice that 4.2 million credit cards may have been stolen (as reported in todays Wall Street Journal). This breach was not a result of poor implementation of PCI standards, but rather was a result of the criminals understanding PCI as well as anyone in the industry, and finding a new access point for the data they wanted. Rather than attacking the data in-transit, or at the point-of-sale, they actually attacked the internal network of this company, where PCI has no rules regarding the safety of the data. Once the data is within the companies network, it was assumed that the data would be safe.
Criminals are very smart, and since security standards are open, they can keep up with them just like the rest of the industry can. PCI is not the silver-bullet to protecting our data: the real answer is that those who have our data need to start treating it as a precious commodity, and understand its real value. Security is not cheap – encryption slows down access to data, and key management is always problematic. Putting in place rules and regulations regarding who can access the data is a pain, and keeping anti-virus and anti-spyware applications updated and functioning on a network are difficult tasks – but these are all steps that must be taken to make it more difficult for criminals to find our data. Until companies view PCI as the minimum bar, and take steps to really protect our data from end-to-end, and view themselves as stewards of important data, the criminals will find the paths of least resistance around the security measures.
Securing our data is less about adhering to standards, and more about shifting the mind-set of corporations. Until that happens, our data will be vulnerable.