It has been over 11 years since the PCI Data Security Standard was released and all of the deadlines for organizations that handle payment card data to become compliant are long past yet we are still seeing regular breaches and fraud. This raises the question: if breaches are still happening in spite of the security standards and all of the technology we've deployed, has the security industry failed?
To put this in context, many of the high profile breaches starting from Target's breach in 2013 onwards have been the result of memory-scraping malware attacks on point of sale (PoS) systems. A long time ago during my first PCI QSA training class (circa 2007) one of the other students asked about protecting unencrypted card data temporarily stored in a system’s memory (as opposed to permanent or semi-permanent storage on a disk); the instructor laughed the question off and said that it would be a good day if attackers were trying to grab card numbers out of memory because it would mean that the many easier ways of stealing card data must have been blocked.
Although this comment may seem shortsighted in the harsh light of recent breaches, many of which relied on exactly the sort of memory scraping techniques that were brought up in the student's question, what the instructor was trying to get across was that at the time many organizations had large databases filled with years’ worth of unencrypted credit card data and a compromise of any of those databases resulted in the attacker immediately capturing a large quantity of data that could be used for fraud. Thanks to the PCI security standards much of the stored card data is now encrypted and many organizations have forgone storing this data completely in favor of tokenization and other solutions with the result that it is much more difficult to raid a database and acquire years’ worth of card data all at once.
What we are instead seeing is the latest iteration of a cat and mouse game: Criminals have moved to PoS memory-scraping attacks because those easier database-centric attack vectors have mostly been closed off. This doesn’t mean that securing databases and moving to tokenization has been a futile effort: The memory-scraping approach that attackers have been forced to move to has disadvantages for criminals: their chances of finding a database with years’ worth of data are much lower so instead they must try to remain within the target network, siphoning unencrypted card data from PoS terminals in real-time. This means that the scope of the breach is limited by how long the attacker can maintain access undetected.
The PCI standards have adapted to these new attacks as well and developers are now required to consider how sensitive data is handled in memory. In time this loophole will be closed off as well and the attackers will be forced to find another attack vector that will likely be more difficult and provide them with even less data that they can use for fraud. The end-game will come when we can make it so that stealing card data requires more effort than the resulting fraud would make it worth.
The question then comes back down to businesses: How much are they willing to spend on security to prevent the “next” breach? We in the security industry were talking about memory-scraping attacks 9 years ago and it was certainly feasible at the time for merchants, banks, processors, and the companies that create PoS terminals to implement a system that would have prevented memory-scraping (a security standard that now exists and is known as P2PE) but as a security professional I would be hard pressed to convince any business to spend money replacing their payment card infrastructure and accept the inconvenience and overhead that this level of encryption brings in order to prevent a new type of attack that may only come to pass years in the future.
Instead, businesses tend to be reactive, only implementing security measures once they see immediate risk, which they often realize only as a result of themselves or their peers taking losses. This leads to a lag time as businesses begin to realize that new security controls are necessary and start to implement those controls. In the interim the criminals can have a field day preying on those that are slow to address the new risk.
Those of us who work in the security industry may be able to predict future threats and find solutions but we don't control the networks and sensitive data that attackers lust after; we can only advise our clients but the decision on whether to spend resources addressing a new risk is up to them. Our successes are the companies that do recognize the risk and are proactive but their names don't end up in the headlines, or at least not in the same headline as the word "breach", and those successes are harder to measure than the attention-grabbing failures of their peers that haven't thought as far ahead.