Cybersecurity executives commented on the early news of a Discover Card customer data breach, including fraud and compliance concerns:
Discover Card Users Affected by Data Breach, New Credit Cards Issued https://t.co/oe8KyRfGDU
— Buddahfan (@Buddahfan) January 30, 2019
Expert Comments below:
Anthony James, Chief Strategy Officer at CipherCloud:
“Discover’s breach is very typical of the news we hear continually concerning financial firms and credit processors. In today’s environment attackers will get into your networks. That’s a fait accompli. We also expect that it will take months even before a card processor such as Discover is even aware of the intrusion and possible breach What we don’t expect to hear is that the databases and credit card data are, amazingly, unencrypted.
New legislation, such as the EU’s GDPR, the pending California Data Privacy coming into force in 2020, and the new national bill proposed by Marco Rubio, the American Data Dissemination Act, create a regulatory barrier only met by the end-to-end use of encryption within these financial systems. You must ensure that your data is encrypted, both in the database, and in transit (middleware, API, etc.) and in use. Similarly, your business partners must be held to the new standards you require internally.”
Felix Rosbach, Product Manager at Comforte AG:
“Payment card data is some of the most sensitive data of all. Fraud is easy to commit with stolen card account information. Therefore these kind of breaches create a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer was actually the target of a breach or a merchant in the network.
It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward.
One very effective way to protect sensitive data is to pseudonymize it. Acquirers, merchants and issuers should only use tokens instead of clear text data to process payments and store sensitive data. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides: for businesses and consumers.”
Colin Bastable, CEO at Lucy Security:
“Third parties are the CISO’s Achilles Heel. It appears to be a classic case of a third party’s failure to protect Discover Card customer data. Discover is not going to feel it, but the buck has stopped somewhere down their food chain.
We should be realistic – the costs for Discover will be a rounding error, and have already been built into their Q4 provisions (up 18% over Q4 2017). The 176 million card-carrying US consumers are generally inured to the consequences of these breaches – between them, they have some 985 million credit and store cards, and the card issuers are very good at shipping out replacement cards.
The real problem is that these thefts are not victimless crimes – real money is involved. Crime rings and governments are stealing from the American consumer and using it to finance more crime.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.