I'm a fan the PCI security standard from Visa, Mastercard and American Express. It is a tight in all the right ways and loose in the right ways. It tells credit card processors and merchants explicity that they must use two-factor authentication for remote access, but nothing more. If PCI has a problem, it is that it will be too little too late to protect card holder data and stave off regulation. The structure of the credit card industry makes it tough for it to be otherwise. Will making retailers liable for credit card breaches help? I'm not sure.

To me one of the biggest problems is a lack of information regarding the security practices of credit card processors and merchants. Is there a place we can go to see if the credit card processor we're considering has passed their PCI audit? If my processor fails their PCI audit, are they required to notify me and their other merchants?

The credit card industry is a duopoly at the top, with Visa by far the biggest. They can make this kind of change happen. While they risk angering their customer, it will probably be better than more regulation.

In thinking a bit more about PCI security since my post on PCI visibility. I think what Visa and Mastercard need to do is to hire independent 3rd party penetration testers to pen test merchants and processors.

The PCI Three are making a big switch in September, when they will start fining acquiring banks non-compliant merchants. However, there are two problems with the auditing procedures: Auditors are paid by the companies they are auditing and audits are static snapshots. I'm not insinuating anything here about the ethics of PCI auditors, just pointing out the agency conflict and that a company might get compliant for an audit, then lapse out of compliance.

Further, as I have mentioned before, I think that the PCI program may be too little too late to fend off regulatory action. I think that having auditors that are paid by Visa/Mastercard/Amex to pen test merchants and processors would keep merchants and processors on their toes. Obviously, the merchants and processors would have to give permission for random pen tests, but I think that issue can be forced. Doing this would eliminate the two problems noted above. The pen testers would not be paid by the target companies and the target companies would have no idea when they would be audited.

Tim Erlin started a discussion about brand damage. However, the data he used was really about stock prices, not "brand", which is much harder to quanitify (and it's not easy to qauntify the affects of breach on stock price).

Recently, Javalin Research surveyed twelve hundred consumers randomly via phone during February on consumers' perceptions about breaches:

Although previous Javelin studies have proven that only a fraction of fraud in the U.S. is due to data breaches, 77% of consumers intend to stop shopping at merchants that suffer from data breaches. Retailers and merchants are viewed by 63% of consumers as the least secure when protecting consumer's data, compared with processors (16%), card networks like Visa or MasterCard (5%) and issuers (5%). When little is known about a data breach, half of all consumers automatically consider the merchants where they shop to be at fault. However, 85% will reward merchants who are perceived as security leaders with increased purchases.

The responses are suspect in my opinion. I find it hard to believe that 77% percent of TJX shoppers will stop shopping there. If TJX apologizes, explains how they have increased security and sends a discount coupon to affected consumers, the vast majority will return. However, not all will return.

The report also states that, absent any information about a breach, 49% of consumers will hold the merchant responsible. While this sounds like Visa promoting PCI to merchants, it also makes sense. Even if the payment processor looses my data, I didn't choose them. The merchant did.

Continuing the discussion about Brand Damage,breach costs and The PCI security standards, TJX reported higher sales despite suffering the largest breach known. Same store sales increased 6%, higher than analysts expected. Consumer sentiment seem to confirm my contention that information security is not a key element of the TJX brand:

``It's a sad thing, but it can happen anywhere,'' said Chamia Kissoon, a 30-year-old bank employee from Boston who left with a bag filled with clothing.

``Identity theft and data theft seem endemic, and I've got to presume that since TJX is aware of this theft, that they've fixed their problem here,'' said Peter Hartzel, a 60-year-old financial manager from Dedham, Mass.

An expert who helps corporate clients repair their reputations said he was not surprised by TJX's strong sales amid bad publicity.

``Convenience and price are huge factors in bringing people to any store,'' said Peter Morrissey, an associate professor of communications at Boston University who helped advise Johnson & Johnson after product tampering in 1982 involving its medication Tylenol. ``It's just hard to change people's patterns.''

``And with something as mysterious as a data breach, it seems to be remote, and beyond people's control, so customers cut you a fair amount of slack,'' Morrissey said. ``It's almost like white noise.''

It will be interesting to see how their stock performs. I think it will do well, because investors will realize that this is a one-time event that will not adversely affect long-term cash-flow:

``Wall Street is very focused on their operating performance, and on how this credit card issue is something that will be corrected, and then it will be history,'' said Mark Montagna, an industry analyst with C.L. King & Associates.

As for customers, Patrick McKeever, an analyst with Avondale Partners, said surveys that he and others in his firm have conducted with TJX shoppers indicate that any consumer backlash will be negligible.

``There were certainly a few people who had heard about it on the news and decided to curtail their shopping at TJX, but for the most part, people seemed not to be overly concerned about it,'' McKeever said. ``Consumers are well aware of the kind of value TJX offers because you can go and see the same merchandise you would see in department stores, and it's 20 to 60 percent cheaper. It's very compelling at the end of the day.''

For consumers, the benefit of the savings is worth the risk of having their credit card data stolen. It certainly seems rational, given that they assume it could happen anywhere and that it probably will.

I'm telling you, this internet thing is something. There is now an online calculator - from a company selling cyber-insurance - to help you estimate the cost of a data breach or identity theft data loss scenario . While I am also impressed with java script, I think their data loss archive needs some work.

Passwords have been around forever and it's starting to show. The next level of authentication security is two-factor authentication. Your ATM card is an example of two-factor authentication: you need both possession of the card and knowledge of the PIN to get cash. There are a number of factors that are pushing two-factor authentication toward a tipping point.

• Compliance - Increasingly companies are deploying two-factor authentication because they are forced to. The credit card companies are requiring merchants and payment processors to meet the PCI Data Security requirements, which require two-factor for remote access to their networks. Banks are subject FFIEC guidelines which are promoting two-factor authentication.
• Risks are increasing - Hackers are now coin-operated - the do it for the money. And there are many ways for them to make money with stolen information with very little risk of being arrested. Hackers are targeting corporations in very targeted, hard-to-stop ways. Defense in depth will be required and two-factor authentication will be used for employee remote access and also inside the firewall for key systems and admin accounts.
• Ease of use - There are more two-factor solutions today. Some run on USB drives, some on cell phones and Blackberries, some on PCs. We even have a Firefox extension. These options are more convenient than tokens and in some cases, more convenient than passwords.
• Cheaper - All these options are driving prices down, making two-factor authentication less expensive than passwords - because resetting passwords costs money too. WiKID provides both a commercial version and an open source version.
• Password overload - People have more and more accounts on-line and more and more passwords. They either re-use passwords, use simple, breakable password or forget them.
• Private Personal Information - It's everywhere. If you have an HR database you have information that is valuable to hackers. They can be on the other side of the world and sell personal information on the Internet.
• Single Sign-On - There are a number of great single sign-on projects today (InfoCards, OpenID, Higgins,etc) These tools promise to reduce the number of accounts and passwords you have. At the same they put a lot of eggs in one basket and you need to protect that basket.
• SaaS - Software as a Service is exploding thanks to web-based apps like Salesforce.com, Google Apps for your Domain, Amazon Web Services and all the great web 2.0 applications. The weakest link in the security of these applications is the passwords. It is far simpler to steal a user's password than try to break into the server or decrypt the SSL tunnel.
• Increasing value of intangible items - The Internet has created new intangible items that have value: your eBay reputation or virtual money in Second Life for example. Access to these items is totally based on your credentials and you will want to protect them as there have already been examples of Stealing real identities to steal virtual items to sell for real cash

On the otherhand, there are some of the reasons you might not see true two-factor authentication in the near future:

• The secret second factor - Cookies, flash objects, IP addresses and MAC addresses can be used surreptitiously to attempt to validate a computer or browser. However, these are easily spoofed or actively deleted by the user. If you are a regular cookie deleter or have privacy software that deletes them for you, you might find that you get asked additional "security questions".
• More of 1 Factor authentication - You might see more of one factor instead of two factors. The best example of this is the "security questions" referred to above. Have more of one factor does not make it two factor. Two different factors are required because the attack complexity increases.
• Misguided expectations for two-factor authentication - Deploying it won't solve all your problems. Moreover, some financial institutions are deploying in a sub-optimal way. For example, some banks are using tokens for session authentication which, without mutual authentication, is still vulnerable to Man-in-the-Middle attacks or browser vulnerabilities. This could cause a backlash against two-factor. They should use the one-time passwords to validate transactions rather than the sessions. After all they are trying to stop fraudulent transactions.

What did I miss?

In an interesting development in the economics of information security and data breaches, a group of banks is suing TJX for "negligent misrepresentation". According to Massachusetts Bankers Association CEO Daniel Forte:

"Banks all across the nation re-issued debit cards as a result of the TJX data breach. Preliminary estimates of the costs vary from institution to institution, up to $25 dollars per card," MBA officials said in a statement. "This alone would run into many millions of dollars for banks throughout the country. Moreover, when fraud occurs, banks generally cover the entire fraud, replacing money in customer accounts to protect their customers."

In an interesting twist in the continuing PCI story, the Texas legislature may mandate PCI compliance:

According to the language of the bill, "A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry data security standards." The bill would allow a financial institution in the state to request a breached entity to provide certification of its compliance with PCI specified controls. HB 3222 would require the certification to be issued by a PCI-approved auditor no earlier than 90-days before the breach.