A recent article in American Banker, Bank Data Breaches Are Stuff of Nightmares: Citi Exec, Julie Pukas, the global head of integrated payments at Citi made this interesting comment:
"All of us have probably [experienced] one way or the other some type of data breach, and … it's probably what I wake up in the middle of the night thinking about, because it's really to some degree out of your control".
While no doubt data breaches are a difficult challenge, getting control over the protection of your data is actually a lot less difficult these days even in complex payment ecosystems.
As she noted, with increasing complexity in payment systems, attacks are going to get easier. That's true if the approach to data breach mitigation is to look at the problem on a system by system or "IT centric" basis. However, one way to reduce the risk is to take a different and simpler approach - by looking at the sensitive data at the data level across data lifecycle. By taking away the value of the data to attackers who might gain access to it, the economic benefit of mounting an attack can be reversed. Attackers will move on to more lucrative sources of data bounty. Of course there's more to overall payment system risk than just the data itself, but if the sensitive data can be secured from cradle to grave then a big part of the risk problem due to attackers goes away.
Whether retail payments, ACH, trading or other typical payment protocols, it's now possible to go well beyond the protection offered just by encrypting the channel or the server. Let's face it; the hackers can get the data in the security gaps that the "pipe and bucket" approach to security leaves behind. Data at rest security does nothing when the data's on the move or in use. In transaction processing, that's most of the time. Channel security doesn't deal with the data - data coming in and out is at risk from attackers. That's a lot of attractive data passing across big security gaps that malware might sniff out.
New techniques have already been applied to protect billions of real-time payment transactions end-to-end without disrupting the payment ecosystems. Techniques like Format Preserving Encryption (NIST FFX mode AES) can protect data at the data level - persistently - yet still let the payment operations function as before. Routing, validation, authorization, processing, settlement, and post transaction processes can all be protected at the data level from capture to hand-off. Without needing to re-engineer the payment protocols and applications, protection can be retrofitted to existing systems very quickly.
The good news is that this can be done without all the pain and hassle of past approaches - Voltage Security innovations like stateless key management make that possible - even in the most demanding and high performance payment systems. As we speak, billions of transactions are protected already in this way by the 5 top US payment processors - in the back end processing and front end capture systems. Top banks already embrace this new data-centric approach from mainframe to mobile with dramatic benefits, even out to consumers.
So, rather than sleepless nights and lack of control, perhaps another take on how these financial system risks can be mitigated is on the cards for bank execs who've not yet taken a look at data-centric security. Attacks can't be stopped. That's a fact. But they can be made far less attractive with a data-centric security approach - and you can regain control over end to end data breach risk. That's already proven.
You can sleep well Julie!