Make Your Defense-in-Depth Strategy a Differentiator

Widespread coverage appeared starting last Friday that Global Payments, one of the many firms that handles credit card payment processing for the likes of Visa and MasterCard, suffered a security breach in late-January through late-February.  More seriously, the breach exposed Track 1 and Track 2 credit card information, meaning names, credit card numbers, CVV codes and in some instances, addresses.  This information allows hackers to duplicate the card and make both online and in-store purchases.

It’s important to point out that hackers have realized that to hack credit and debit card information, it’s not necessary to penetrate the major credit card companies, all they need to do is probe the entire transaction chain and hack the weakest point.  In the last few years, they have discovered that payment processing companies are often this weak point.

It’s clear that a sophisticated defense-in-depth strategy across the entire transaction chain that is continuously tested and updated can minimize these attacks.  It’s also clear that the time and financial investment required to achieve this level of protection isn’t happening.

I point to the survey Norman released in March of senior IT people at large organizations that represent a cross section of  industry (beyond just financial services), which focused on trends in malware analysis, an important piece of a defense-in-depth strategy.  The survey reveals that while 65 percent of respondents predict the sheer number of malware threats will grow by more than 25 percent in 2012, just 45 percent believe their malware analysis budgets will go up and only 33 percent state they will add analysts to their IT security teams this year.

This breach also reminds me of the important lesson of getting the facts and not relying on initial reports.  Early reporting indicated that several million accounts could have been compromised, when the actual number appears to be closer to 50,000, although there is still no definitive count.  Still not good, but not the massive hack first reported.

It seems to me there is an opportunity for forward-looking payment processors to differentiate themselves by instituting more aggressive security policies and marketing this strategy to the banks and merchants that hire them.  Not only would this reduce the number and severity of hacks, banks and merchants could point to these more aggressive strategies as a testament to their commitment to safeguard cardholders’ information.

Instead, the opposite has happened.  On Monday, Visa announced it is dropping Global Payments as one of its payment processors.   Global Payments CEO Paul Garcia noted he expects Visa to reinstate his company, but didn’t specify when that might be.  We will see.