FBI Credit Card Ring Bust Exposes PCI ChallengesSome experts say existence of complex credit card fraud black market a sign that PCI isn't effective
The publicity around the FBI sting that nabbed dozens of criminals in an international credit card fraud ring provides a good opportunity to reflect on the sophistication of today's data theft black market and the importance of organizations to look beyond the baseline security levels set by compliance regulations such as PCI, security experts say.
[What do auditors really want? See The Secret World of Compliance Auditors. ]
Announced by the U.S. Attorney's office in the Southern District of New York, the criminal investigation was a two-year effort by the FBI into a carding operation that netted 11 arrests in the U.S. and 13 more in other countries. The action uncovered stolen credit card numbers taken from 47 breached organizations. The documents made public with the announcements showed how complex such a previously successful carding operation had matured to, offering everything from sales of credit card numbers to fraudsters by the thousands to peddling of a large variety of malware to would-be thieves looking to acquire numbers on their own.
"It's always been exciting when we see such a strong law enforcement action when we see this kind of fraud because we know that its very different to actually track down the individuals who are involved in this kind of scheme and it doesn't happen very often," says Ben Knieff, director of fraud product marketing at NICE Actimize. "It brings to light for people who aren't so intimately involved in fighting this sort of fraud how complex and how many different parties are actually involved."
Some within the security industry say the sting offers yet another piece of evidence of how important it is to move beyond check-the-box compliance.
"The prevalence of credit card theft that this sting clearly demonstrates is a call for security to move beyond check-the-box regulatory compliance and focus on effective security measures," says Gretchen Hellman, director of product marketing at McAfee. "Regulations can only provide general requirements for security practices, but given the unique nature of every IT environment and the subsequent environmental risk, it is up to enterprises to ensure those practices are effective in protecting customer data."
Still others go so far as to say this is evidence of PCI's ineffectiveness as a regulation, charging that the existence of such unchecked commerce in stolen credit card numbers cast a shadow on PCI's touted successes.
“So, 47 organizations were breached. The real question is will any of them be fined by the PCI Council?" says Tim Erlin, director of director of IT security and risk strategy for nCircle. "This seems like a significant blow to the effectiveness of PCI. After years of regulation and 'enforcement,' it appears that little progress has been made in actually securing cardholder data. Of course, that assumes the goal of PCI is to secure data. If you look at the PCI DSS as a means of transferring liability for the security of card holder data, then the question of PCI effectiveness can be viewed in dramatically different light.”
Knieff at NICE Actimize wouldn't go so far. He says he believes PCI has helped the industry make great strides in limiting the number of consumers victimized by card thieves. But he also believes there's still work to be done.
"PCI absolutely helps but it is not an end all be all. There are still weaknesses in the system," he says. "Obviously, one of the challenges that we face is that there's more than one level of PCI compliance on the merchant side. And because they're relatively well-known it also allows criminals to know who's likely to be weaker or stronger from a security perspective."
According to Knieff, PCI and security practices notwithstanding, such complex cybercriminal activity shows that organizations need to focus risk management not only on how they treat sensitive data but also how consumers interact with it.
"It definitely highlights the fact that no matter how hard you try, even if every merchant and every processor and every issuing institution was perfect, you still have weak links at the endpoint," he says, "which is the consumer entering their information into a phishing site or a skimming device on a POS terminal or an ATM. PCI is good but it's not good enough to solve all of our problems at this point."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.