In light of the recent information security breach at TalkTalk, I thought it would be a good opportunity to share my thoughts on information security and the use of credit cards to purchase goods and services online.
I am not by any means an information security expert, but I can credibly claim to have more knowledge of the subject that the average member of the public, and probably the average IT professional too.
My experience derives primarily from managing systems used to book flights and hotel rooms, in which customer credit cards are used as the method of payment. In my most recent role in this regard, over €40m of revenue per month was flowing through systems under my control.
To understand the underlying risk in passing sensitive data to a computer system you encounter online, the most important point to understand is that for every commercial organisation that ever existed, information security is a drag on profitability.
In itself, that isn’t surprising or unique. There are lots of business functions that are a drag on profitability. The difference with information security is that while its significance is generally understood by decision makers, the complexity of the risk involved is not, which means that when its drag factor is considered with every other drag factor, its tends to get bumped down the list more easily when decisions have to be made about priorities.
For instance, if a Marketing Director says to a CEO that a product launch needs to be delayed to develop a new advertising campaign, because a focus group indicated that the original marketing campaign was not appealing, the logic is immediately accessible to the CEO, and the decision is relatively simple.
If, an the other hand, an IT Director says to a CEO that a new product launch has to be delayed because the software underpinning the payment system for the product hasn’t been penetration tested for Cross Site Scripting vulnerabilities, the logic is less accessible, and the CEO will probably consider the situation of terms of probability, not logic.
“What are the chances of our software being targeted when there are millions of online systems for hackers to choose from? We’ve released products with this software before and everything was fine, so why not this time?”
This type of thinking is pervasive in corporations that rely on information systems and ask us to trust them with our data. When it comes to information security, more often than not, risk is considered in terms of what is probable, not what is possible. The critical flaw in this is that a decision makers estimation of probability is always influenced both by their experience and their wider commercial objectives. If they keep subconsciously diluting risk because it interferes with their commercial objectives, and nothing ever goes wrong, it becomes easier to dilute that risk further and further each time. More often than not they’ll get away with this. There are millions of online systems, and you need to be unlucky to be targeted, but you’re just as likely to be targeted as any one else.
A real life example of this is readily available. I recently had to make a trip to England, and needed to book 4 days parking at Dublin Airport, which would cost in the region of €30, which I knew I would have to pay for with my credit card.
Being relatively familiar with what goes on behind the scenes on such sites, I tend to rank the security they offer higher than more obvious considerations like price. The gold standard for me is the availability of PayPal as a payment option. There was a time when asking users to pay using PayPal was seen as second rate, which resulted in many online retailers discounting it in favour of custom solutions that made their online presence seem apparently more sophisticated.
Thankfully, those days are gone. PayPal have a proven track record when it comes to credit card security, and my advise would be to always choose PayPal as your payment option rather than entering your card details anew into a integrated payment system.
In the absence of PayPal, I would always favour payment solutions that link into payment gateways like Realex and WorldPay. These solutions require you to enter your credit cards details, but these are either forwarded directly to the payment gateway provider, or entered on a page provided by the gateway provider. The key thing to understand is that the organisation you purchasing the product or service from has very limited responsibility in terms of managing your credit card data. This is a good thing, because it means they have to deal with the issue of information security being a drag on profitability less frequently than organisations that attempt to process credit card payments themselves.
When neither of these options are obviously available, I will always look for an online statement from the product or service provider about how they deal with credit card payments. The key element to look for in such a statement is either attestation to or certification of what is known as PCI DSS compliance.
PCI DSS compliance is a set of standards agreed by the credit card industry which organisations storing or communicating credit card data are supposed to adhere to. There is no law or industry requirement that they should, although many banks will refuse to deal with organisations if they don’t.
Implementing PCI DSS compliance in an organisation is an onerous and expensive task. Not only is the baseline standard difficult to achieve, particularly if the organisation has grown rapidly and the standard has to be implemented retrospectively, but it is also evolving all the time, requiring organisations to devote dedicated resources to ensuring that processes and procedures are up to the date. Its also a standard that involves much more than software. It touches every part of the organisation, from HR to Accounting to Marketing to IT.
Any organisation that has been through this knows the pain involved, and when you achieve compliance, its something you want to tell people about. As such, if I were dealing with an organisation that has full PCI DSS compliance in place, I’d expect them to make that clear on their website.
Lets take a look at the parking options available at Dublin Airport to see how they fared in relation to the payments options available to me.
The first one I tried, because it was the cheapest, was http://quickpark.ie/. I got my quote and clicked through the booking process to where my credit card details were required. There was no PayPal option, and no evidence of the site using a payment gateway, so I started searching for some evidence of PCI DSS compliance. This is what I found on their Frequently Asked Questions page:
How do I know my booking details are secure?
You can rest assured that your personal data is safe with us. Every booking is encrypted via SSL protocol. Along with encryption we take all the measures required to keep all your personal data safe.
This is an incredibly anaemic statement for a website asking you to enter your credit card details. Their reference to the “SSL protocol” means that your details are encrypted while they are in transit from your computer to theirs (which is a very basic standard), but no information is provided regarding what happens to your details once they arrive at the other end. The reference to “SSL” is also telling. The primary protocols used in the transfer of data across the web are SSL and TLS. Up until about a year ago, SSL was predominant, until a flaw was discovered in it, resulting in the well-managed websites switching to TLS. The fact that QuickPark’s web site continues to refer to “SSL” is not encouraging, never mind the total absence or any reference to the PCI DSS standard.
My next attempt was on the Dublin Airport Authority’s website, where you can book parking in the parking areas owned by the airport. This was at http://www.dublinairport.com/gns/to-from-the-airport/car-parking.aspx.
Again, there was no PayPal option, and no reference to a payment gateway provider, so I again went searching for a statement on information security. This is what I found on their Pre-Booking Frequently Asked Questions page:
How do I know my booking details are secure?
The details you provide are encrypted to prevent them being read over the internet. This is indicated by the GeoTrust icon on the car parking page. You can click on the icon for more detail.
This statement is similarly anaemic to the one provided by QuickPark, which surprised me, given that the Dublin Airport Authority is a long-standing semi-state body, compared to QuickPark, which is a relatively small private company.
Again there is reference to the transmission of data over the internet, but no reference to the management of data on the other side. The reference to the GeoTrust logo is meaningless, but was presumably included as it features the word “Trust”. Obtaining a a GeoTrust logo for your website, or a logo from any one of hundreds of similar providers, costs about $20 per annum. All it signifies is from whom you bought your digital certificate to encrypt your data transmission. It means nothing is terms of how your data is managed by the company once its gets to its destination.
At this point, I decided to change tack, and did a Google search for “Dublin airport parking pci dss”.
The first result I got was for the Clayton Hotel, which is just off the motorway near the exit for the airport, and which offers car parking to airport users.
On their parking Frequesting Asked Questions page (http://www.claytonhoteldublinairport.com/park-and-fly/parking-faqs/) they state:
How do I know my booking details are secure?
To ensure that you are trading in a secure environment, Clayton Hotel Dublin Airport has contracted the services of Advam. Advam is the leading provider of integrated global card services for private enterprise and government agencies in Australia and around the globe. Advam is a Tier 1 payment processor which adheres to the most stringent of industry accreditations including Level 1 PCI DSS compliance, EMV certification and ISO 9001 accreditation. When you enter your payment details online, you will notice that you will are using a secure site which uses 1024 bit tunnelling encryption to protect your information during transmission. Every transaction processed through Advam’s payment switch is protected by the latest in encryption technology and a combination of state of the art firewalls and intrusion detection systems guard every point of ingress and egress on the Advam network.
This was obviously cut and paste from another document provided by the company referenced in it, Advam, but that in itself isn’t a problem. From this statement I can see that not only is the transmission of the data secure, but that responsibility for the data has been handed of to a third party who specialise in credit card security and who have achieved PCI DSS compliance. This is the type of statement I would expect to see from an organisation asking for my credit card data, and this was the option I chose.
In considering this example, I need to go back to my earlier point about information security being a drag on profitability. As noted, its one drag in a mix of many different drags, but its a drag that tends to get pushed aside because it isn’t one that decision makers can easily relate to.
When this is not the case, or in other words when a decision maker has decided to sufficiently prioritise information security, its a painful process for the organisation involved, and part of the payback is making sure that everyone knows the effort you’ve gone to, particularly if your competitors haven’t.
From that point of view, finding anaemic statements like those referred to above turns on a warning light for me. The absence of more comprehensive information about information security doesn’t mean that these organisation are insecure, but it does mean that they aren’t particularly bothered about promoting information security as a feature of their service offering, which suggests they’ve haven’t invested particularly deeply in it.
At this juncture, it would be nice to be able to go back and view what TalkTalk said about their information security before they were hacked, but at the time of writing, the entire TalkTalk website is just one big blurb about how TalkTalk take information security more seriously than anything else. Presumably, it will be that way for some time.
That said, its unlikely that very many of TalkTalk’s customers ever bothered checking out their statements about information security.
If you don’t want to be in the same position they are in today, its probably a habit you should get in to.