Samid: More Major Data Hacks Could Happen Without Legislation

The huge theft of card data at processor CardSystems Solutions Inc., revealed last week by MasterCard International, has prompted litigation and drawn the attention of most of the state attorneys general, but at least one network-security expert cautions that more such incidents are likely. Indeed, he says, little is likely to change in the way organizations handle such sensitive information until federal legislation spells out rules and enforces them. “Nothing massive will change until legislation changes it, and that won't happen any time soon because the [card] industry will lobby against it,” says Gideon Samid, chief technology officer at AGS Encryptions Ltd., based in Tel Aviv and in Rockville, Md. Samid is a regular columnist on network security for Digital Transactions magazine. MasterCard, Visa U.S.A., and other card companies earlier this year settled on a set of protocols, called the Payment Card Industry data security standard, that requires organizations that handle card data to install firewalls, use anti-virus software, encrypt data, and adopt other security measures. But enforcement of the standard may be another matter. CardSystems has said it was improperly storing the 40 million card accounts that were accessed in the hack attack that occurred in May. Simple encryption, says Samid, would probably deter most hackers, who will move on to other targets where data are stored in the open. Yet many processors shy away from encryption, says Samid, because it slows processing time and poses a risk of data loss if keys used to decipher the data are lost. “Encryption slows down the process on a massive scale, and that's why people don't want it,” he says. “It's too slow and too cumbersome, and you have to do key management.” A class-action lawsuit filed earlier this week in California on behalf of cardholders and merchants asks the court to force CardSystems as well as Visa, MasterCard, and Merrick Bank, the South Jordan, Utah-based bank for which CardSystems is a registered agent, to notify affected consumers and run regular credit checks for them. In addition, the attorneys general for 48 states are giving CardSystems until July 25 to tell how they are notifying affected cardholders or otherwise helping them. The processor estimates that magnetic-stripe data on some 200,000 accounts were stolen in the attack, in which a hacker apparently exploited rogue script to access the company's database (Digital Transactions News, June 20). But Samid says litigation is not likely to have the same force as legislation, which has the resources and enforcement power of government behind it. “With a civil case, it's very difficult to make a change that will have ramifications for how the industry behaves,” he says, in part because lawsuits depend on the financial resources of the plaintiffs.