Risk Management, Compliance and Industry Standards
One thing I do agree on, before I go any further - is the fact that this is unfortunate for all the parties involved. Be it the bankers who issued the cards and have to re-issue yet another time due to this incident; be it the payment processors or the consumers who are becoming somewhat impervious to this type of news. After all, how many times do I need to be notified that I should 'keep an eye' for suspicious transactions. This is not the fictional consumer character we are talking about. I was notified by my bank when TJX's systems were compromised. I was notified when Certegy's systems were breached. And yes, I was notified by Countrywide when an employee walked away with their information and sold it to some third-parties.
So, let's get this out of the way - it's unfortunate, and even though we still don't know the extent of the breach in these cases or how the compromise actually happened, we can agree that it is criminal activity. I also accept the fact that the parties that are breached, be it TJX, Heartland, Certegy, Countrywide and others, are victims themselves.
Standards and promoting adoption of a technology will not do much for an organization if the risk assessment process has faults.
Besides all the incident response activities they have to undertake, they have a PR nightmare on hand. And that's what I wanted to talk about today. No, not the nightmare part, simply the public relations aspects of this incident. It has been reported that Heartland is advocating the adoption of "end-to-end" encryption technology throughout the payments industry. I am simply aghast at some of the statements I have read in response to this unfortunate incident.
The issue is not the technology, or the standards or the "adoption of end-to-end encryption technology throughout the payments industry." We, as an industry, have had the technology (and continue to build upon and improve it). It's the awareness and acceptance among the business leaders that's lacking. It's the notion that 'it won't happen to us' or 'security is expensive, time consuming or a resource-hog' that comes in the way.
I know it's a discussion for another time, but a simple approach to risk management: 1) Assess your risks - not only compliance risk, but all risks associated with a transaction or a system to your organization, 2) Assess/decide the level of risk the organization is willing to accept, 3) Remediate the risks that lie outside this acceptable level and lastly 4) Accept the residual risk or do a combination of acceptance of risk and transference to a party that wants to accept such risk.
The point I am trying to make is that it's up to an individual organization to assess its risks and take appropriate actions. Standards and promoting adoption of a technology will not do much for an organization if the risk assessment process has faults.
I can't emphasize enough that all of the organizations that have come forward and announced a system breach are victims themselves, and the activity itself is a criminal activity. It's unfortunate for all the parties involved.
Back to the public relations aspect of this incident for a moment - I somewhat sympathize with the group responsible, but in cases like these, the PR spin simply doesn't work for me.
What about you? Do you buy that "adoption of end-to-end encryption technology throughout the payments industry" is the panacea?