The truth behind the Wonga breach by Ben Oguntala, PCI Technical Design Authority I design PCI compliance Solutions for clients specifically to prevent them from getting into a situation that Wonga has gotten itself into. Here is my analysis and opinion on why clients need to look beyond the pencil ticking exercise of PCI compliance. There is no such thing as 99% in PCI compliance, you are either 100% or 0%. Nothing in between. Any money you spend on PCI Compliance and not reducing the likelihood of a breach occurring is equivalent to doing this.
ALL Payday loan applications are vulnerable primarily because they are all based on the same architecture and in some cases sourced from the same application developement companies and they are the ones that take the card payment for end users. Wonga's PCI problems emerges from the fact that it masks PAN data displaying only the last 4 digits and I intend for this article to explain why this is a bad idea that none of the current PCI compliance would have picked and why my Technical Design solution would have spotted this a mile off and fixed it, not that it would prevent data loss but that the problem will not be an ICO and PCI Council problem.
Masking is a problem because the system that holds the data also holds the full PAN data and the system often knows the full PAN, meaning, a hacker that hacks your system where the data is held, can retrieve the rest of the PAN. The old compliance requirements are out of date and need a radical update and the issue faced by Wonga is symptomatic of the problem with the PCI compliance industry. The industry is focused on making money and not fixing the PCI compliance problem. I have often been accused of implementing draconian measures over and above what the PCI compliance requirements state and that is because of the following. I firmly believe, any firm can still be breached or hacked even if they comply with every rule in the PCI DSS 3.2 requirements, ISO 27001, ICO Data Security standards and FCA data security standards. Which begs the question, are they still fit for purpose? In my PCI compliance designs, I insist on restructuring the payment channel architecture first and foremost making such each payment channel complies with my minimum requirements.
Please note that my document is not designed to lay the blame on any of the parties mentioned in this document or claim that they were to blame or indeed claim that they did anything wrong. I am suggesting the entire landscape is not fit for purpose anymore. Here are my golden rules in reducing the likelihood of a breach occurring and I have zero tolerance for noncompliance: 1.
Outsource 100%
2.
Allow 0% card digital footprint on the network
3. 4. 5. 6. 7.
Any entry for card data must be directly entered into the site of an approved provider In cardholder present, only GPRS and P2PE is allowed In online payment, only tokenization is allowed, redirection 100% to a 3rd party In telephone payment, only DTMF is allowed At no point should a merchant have any reason to hold the customer PAN data because the merchant has no business need or justification for it. Only Banks should have that data as they can query it. The report says the information stolen includes names, addresses, phone numbers, bank account numbers and sort codes. it went on further to say, that last 4 digits of the PAN were also stolen. In my designs, this architecture would have been fixed as at the first instance because clearly Wonga is holding on the customer PAN data in order to take
payments from their cards, but this problem could have easily been avoided by utlising an embedded form. I often use platforms like Realex and I will explain why this could have made all the difference to Wonga.
This form is different because, the data is not entered on the merchant's systems but rather onto a secure service providers page and that means, if the merchant, like wonga is hacked, the hackers may be able get customer data but would not be able to get card data, due to the fact that it is stored on a completely different system. What is wrong with the existing system of Compliance and why did they not pick up Wonga's problem http://www.newnettechnologies.com/whitepaper/Wonga_Case_Study.pdf The report states:
Wonga uses NNT Change Tracker and NNT Log Tracker across the entire heterogeneous IT estate of 750 devices covering Windows and UNIX servers, Cisco and Dell network devices and checkpoint firewalls
The solution provides Wonga with prebuilt hardening standards for all network devices and platforms, change management and change detection to ensure an ongoing hardened and secure state, as well as intelligent log analysis and auditor ready reports
Realtime change detection alerts to suspicious activity that presents a genuine security concern to Wonga
NNT’s integrated SIEM, CCM and FIM solution brings PCI DSS under the umbrella of Wonga’s IT security strategy, providing a secure, stable and PCI compliant IT infrastructure
I have no issue with NNT however, from a merchant's point of view, Wonga would have paid a lot of money for the service to become PCI compliant and would have expected that this PCI compliance would have been sufficient but clearly it was not the case and now they faced with a PR nightmare. Wonga would have rightly relied on these assurances to claim they are PCI Compliant. The question is therefore how many ways do Wonga clients present card data to Wonga, contrary to what has been reported, there is another means and that is for prospective clients. As the form suggests, prospective clients will enter their card data as part of any application and whether they become successful or not, the card data would have now been registered in the same system that has just been hacked. Unless unsuccessful applications are deleted via a data retention policy but these clients would also have been captured by the breach.
As you can see from above potential clients, rejected clients and incomplete applications also pump data into the same application. In conclusion, PCI compliance should not be this complicated, if the architecture is wrong, the estate will crumble and it is about time merchants wake up and stop wasting their money and go for reducing the likelihood of a breach occurring, rather than a simple PCI compliance check box exercise.
Ben Omoakin Oguntala, LL.B Hons, LL.M Banking and Finance Laws PCI Compliance Programme Manager & Technical Design Authority Ben.oguntala@dataprotectionofficer.com +44 7812 039 867