The Green Sheet Online Edition
May 25, 2009 • Issue 09:05:02
PPISC urges solidarity for security
The inaugural meeting of the Payments Processor Information Sharing Council was attended by 30 industry veterans representing 20 merchant acquirers and third-party payment processors. The council is dedicated to sharing information about data breaches and preventing attacks on payment networks.
As the PPISC's organizer, Robert O. Carr, who is also founder, Chairman and Chief Executive Officer of Heartland Payment Systems Inc., felt the May 5, 2009, meeting in St. Pete Beach, Fla., was a success.
"The group in general seemed very positive about acquirers and processors getting together to share information," Carr said. "To them, the security issues were so important that competitive issues were set aside for the greater good of the industry - and payment processors have never done that."
Topics of discussion at the PPISC meeting were data breaches going back to January 2008, the issues relative to Payment Card Industry Data Security Standard compliance and the inadequacies of audits.
"The audits we had were not helpful at all because the problems we had that ultimately allowed us to be breached were in our system," Carr said. "They were always in our system, and six years of audits never caught it." Heartland has experienced significant repercussions from a data breach it suffered in 2008. For more information, see "Heartland clamps down on breach," The Green Sheet, Feb. 9, 2009, issue 09:02:01.
The PPISC works with the Financial Services Information Sharing and Analysis Center, a nonprofit organization dedicated to distributing breach-related and security-compliance information to its members, the government, and telecommunication and utility companies. Members receive alerts regarding cyber and physical threats, vulnerabilities and incidents of concern.
"The reason we chose FS-ISAC is that it already has the infrastructure in place to report fraudulent activity without identifying the submitting party," Carr said. "If someone gets breached, they can turn that information over to the FS-ISAC, and nobody is going to penalize them or disclose who it was. It's confidential and nonpunitive, so it gives us a chance to pull together the new malware that's found on a regular basis and distribute it to PPISC members."
Malware from several breaches, including Heartland's, was distributed to representatives in attendance. "We also distributed software that will help find those malware binaries on a particular machine," Carr said. "The problem, obviously, is international, so getting the current malware is pretty valuable in attracting more international players to the PPISC."
Carr said breach forensics teams have found that malware inserted into payment networks tends to be used repeatedly until cyber criminals have to rewrite it because of anti-virus tools designed to keep it out. "But the anti-virus tools haven't caught any of this malware," he said. "That's why it's malware. So we're trying to get the forensics firms to submit what they learn on a confidential basis to the FS-ISAC system."
To assist representatives of companies unable to attend the Florida meeting, Heartland will offer a conference call on June 23, 2009, at 1:00 p.m. EST to go through information covered in the meeting. A webinar is also planned, though no date for that has been set. Carr extends an invitation to any merchant acquirer and third-party processor wishing to learn more about the activities and membership benefits of PPISC and the FS-ISAC.
"We agreed that this group should be limited to those organizations, but it's still a pretty big group," Carr said. "In order to become a member of the PPISC, there is a membership fee to join the FS-ISAC, as well as different levels of membership. And they will need to sign a nondisclosure agreement not to discuss any information learned here outside the group. Cyber criminals go after anybody they can, so this kind of solidarity is critical."
For more information, visit www.fsisac.com or contact Carr at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.