The Falacy of Security vs. Education
February 26th, 2008 by admin Posted in Compliance
I have worked in the Payments Industry for a long time and in information security long before that. I have learned something from all my work protecting systems, simulating attacks, and investigating data compromises. I’ve learned that compromises rarely result from a failing of technology but from the lack of proper education.
There are numerous merchants who are compromised and shocked that they even store cardholder data. This is systemic in the small (Level 4) merchant community who either do not know about the risks associated with cardholder data retention or are promised by their POS vendor that they do not store any such data. Later when they are compromised they all say the same thing, “I would have done something had I only known.”
Another example is when merchants feel that one component alone will secure them. Many smaller merchants feel that having a vulnerability scan will make them compliant and thus secure. Without proper education they end up paying hundreds of dollars a year for someone to scan their static website. What has the world come to? Are we so willing to sell security that we ignore the care involved in properly educating someone how to use it?
There are a number of programs available to educate and drive compliance in the Large merchant community (i.e. Visa CAP program and acquirer specific programs.) These large merchants have the time and resources to educate themselves. But what about the smaller merchants? Some could say they have the PABP Implementation Documentation but that educates them about the technology not the data.
What we need is a focus on educating Level 4 / small merchants on the basics of cardholder data, compliance, and validation. We need to refocus our efforts, not on the technology, but on the transference of knowledge to these merchants so they can protect the data.
Achieving high compliance numbers for small merchants would be great, but actively reducing their risk would be even better. To achieve this we need a grass-roots effort on behalf of the small merchant community driven by top-down guided education.
Update: The comments people have posted are great. I just want to add that the Visa CAP and PABP programs have been a great success in driving merchant compliance. The PABP program offers secure tools to protecting cardholder data. I argue that merchants need to be educated about these programs and how to implement the systems properly. They need to know what cardholder data is and how to make risk based decisions from that information.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
7 Responses to “The Falacy of Security vs. Education”
By Preston on Feb 27, 2008
Mike, I certainly don’t disagree. However, using your own example of a POS vendor promising a merchant that their equipment does not store data when it in fact does, it seems to me that education will only get you so far. A mom-and-pop merchant can be taught to look for full CC numbers on batch reports or customer receipts, but at some point they’re going to have to take someone else’s word on whether their equipment is properly configured.
By E.K. on Feb 27, 2008
Michael, my experience is very similar to yours as it relates to most small merchants. Most are willing to put in the effort deal with data retention if they know about it.
The problem of education, as I see it, comes from the product vendors (not necessarily us). There are enough vendors of “technical security solutions” who seam to be interested in selling their product and don’t really care if it helps the merchant or not. Almost every “security appliance” I see advertises PCI DSS security but when you look at them, the products often only help with one aspect of the DSS and don’t make the merchant compliant but the sales side doesn’t make that very clear (in my experience).
The education is left up to us (the information security consultants) who often don’t get called in until after something bad happens.
I agree education is needed but I think it needs to start from the acquirers or we (the QSAs) need to get involved with the merchants earlier in their process.
By Michael Dahn on Feb 27, 2008
Preston, I’m glad that you brought up that point (and accepted my Facebook invite).
What we need to do is educate them to:
1) Understand the risks of cardholder data and sensitive authentication data
2) Teach them how to tell if their POS has undergone the PABP validation
3) Teach them to request the Implementation Documentation/Guide
4) Educate them about the top risks to cardholder data as it pertains to Level 4 / small merchants.
In the end, they are the ones who decide if they are going to protect cardholder data or not. What we need to do is provide them the tools they need.
By Steve Sommers on Feb 28, 2008
RE: There are numerous merchants who are compromised and shocked that they even store cardholder data.
This is a very good point and IMHO cannot be emphasized enough. A contributing problem here is that the PABP stamp of approval does not guarantee compliance. I know of at least one application on the “approved†list that still installs default O/S users with default passwords and administration rights. It’s only when you read the fine print of an installation addendum document do you find a note that merchants are advised to delete these users to be compliant. For reasons like this is exactly why we came out with our 4Go suite – to prevent the shock by adding another security layer. The goal is to keep cardholder data out of as many merchant systems as possible thus reducing the chance of a compromise.
RE: Almost every “security appliance†I see advertises PCI DSS security but when you look at them, the products often only help with one aspect of the DSS and don’t make the merchant compliant but the sales side doesn’t make that very clear (in my experience).
I agree, a single component can only address one or some aspects of PCI but taking a POS application completely out of scope is a big aspect. This is especially true if you factor in one of the key points of the blog entry “merchants who are compromised and shocked that they even store cardholder data,†and Preston’s point that “but at some point they’re going to have to take someone else’s word on whether their equipment is properly [programmed and] configured.â€
Steven M. Sommers
Vice President Applications Development
Shift4 Corporation – http://www.shift4.com
By Henry Helgeson on Feb 28, 2008
Michael, I couldn’t agree with you more. Time and time again we see small merchants accepting responsibility for something that they have no knowledge about and no useful tools with which to educate themselves. Acquirers and Services Providers need to take it upon themselves to educate smaller merchants - the result can only be beneficial for all parties involved in our industry.
There are so many avenues these days for reaching the merchants that there is no excuse for not taking responsibility for training your merchant portfolio. We find it’s helpful to provide information to smaller merchants that don’t necessarily have the resources of an IT/Security staff that can comprehend all of the sub-requirements of the PCI DSS.
In an effort to aid the average level 4 merchant, we (http://www.MerchantWarehouse.com) are developing mediums such as podcasts and online presentations/tutorials that are specifically geared towards businesses that are not well equipped to achieve compliance. We’re also exploring ways of providing these merchants with free tools such as a scan application that searches their systems for any vulnerable data that might be getting stored without their knowledge. Of course the best tool for fighting these misinformation issues on the behalf of the POS vendors is stressing the importance of PABP validated applications and pushing merchants towards POS solutions that are on the validated list.