Massachusetts and Nevada have joined the list of states with bills legislating steps businesses must take to protect personal information such as Social Security numbers and financial account numbers. These state regulations represent exactly the wrong kind of laws to be passing, but legislators compelled to take on identity theft seem intent on establishing legal requirements for technical solutions.
While Nevada Revised Statutes Title 597, Section 970 (NRS 597.970) calls for personal information to be encrypted when transferred over public networks, Massachusetts 201 CMR 17.00 Standards for The Protection of Personal Information of Residents of the Commonwealth is even more encompassing. When MA 201 CMR 17.00 goes into effect in January of 2010, all non-government entities that handle personal information must document and follow a set of security procedures that appears to have been heavily inspired by the PCI DSS.
The security industry can't agree if servers, networks or laptops are the most vulnerable to attack. It is hard to imagine any government regulation dictating how to secure data being enforceable and effective. Government should be looking towards legislating behavior, perhaps extending existing frameworks for fraud, trespassing and trafficking across state and national borders. However, IT organizations must prepare to defend their security programs as states will surely continue passing versions of data protection and disclosure laws.
Small and midsized organizations have the greatest problems complying with prescriptive "how to" regulations as investments in a complex technical infrastructure can drive the overhead costs per business transaction through the roof. They simply seldom have the skills necessary to fulfill the requirements of the statutes. These firms will need to find ways of conducting business that either don't require storing and securing of personal information or take advantage of managed service offerings to handle personal information with reasonable levels of security.
Merchant Warehouse Inc. and ProPay Inc. are two leading vendors that offer secure credit card handling services for merchants. These two organizations present examples of the types of alternatives that become more attractive as the liabilities of handling personal information increase. Both vendors illustrate end-to-end, swipe-through payment systems:
- Encrypt credit card data at the swipe. The merchant is never in possession of clear text credit card information as it is encrypted before even entering the point-of-sale (POS) system.
- Securely pass transactions onto card processors. The business transaction remains secure from the POS application all the way through delivery to the credit card processing companies. While the merchant has transaction receipts, they are not in possession of personal information that must be secured.
- Provide automated credit card on file services. Merchants with subscription services, such as newspapers that bill monthly, can have the service handle the transaction and provide the merchant with business intelligence reports. Expensive investments in security products and audits are shared among all service members.
- Report all transaction information to merchants. Merchants need the intelligence of customer lists and profiles to run a competitive business.
There are other vendors that compete with Merchant Warehouse and ProPay that organizations can investigate. Larger organizations can mimic this approach by mapping use of personal information within the business, and finding ways to shrink the risk of personal information exposure. Encryption and PCI are not magic elixirs for preventing theft of personal information. Technology can help reduce risk, but businesses will also innovate with cost-effective alternatives.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.