Before I start, I have to tell you that I have deliberately obscured the names of this company to protect the sources. However, this is a live story, and absolutely true.
Let’s call the company Eckgle ltd. Eckgle make their living in call centres and other low-level outsourcing type work, and for some of their customers they process card payments, both in person, over the phone, and through a portal. As a part of their work they get a very full profile of the card holder, including name, address, and everything else that is needed to verify (or fake) an identity.
Eckgle engaged a Qualified Security Assessor (QSA) some years ago, and this QSA did a fine job, and validated that the environment they have is compliant with PCI DSS. This makes Eckgle a PCI DSS compliant service provider, which they can proudly proclaim in their marketing, and they are also listed on VISA’s website.
Eckgle have a problem. They are in a competitive market with low margin, and their managers (under a great deal of pressure themselves) are playing fast and loose with security and information management procedures. Staff are going sick with stress continually, others are leaving. Another stress factor is that Eckgle have recently removed their internal HR team, offshoring the basic clerical work, which has left staff greivances largely ignored.
One of the challenges staff are facing is being ordered to share passwords with each other and management on systems that process card payments – this is a big no-no and I doubt that the QSA was aware of this when he gave validated their compliance. Now cash is going missing (which Eckgle are reluctant to disclose to their outsourced clients) and it seems probable that card data is going missing as well, together with the full set of identity data, which is quite valuable on the black market.
All these factors, coupled with a couple of managers who use the “beating will stop when morale improves” approach to leadership, have created what can truly be called “Insider Threats”. I’ve previously called Insider Threats a class of “Advanced Perisistent Threat” – I still believe this to be true as insiders can cause more damage when they go rogue than any external attacker. When morale is low, and security is deliberately lax, its only a matter of time before the results are very publicly reaped.
When the external fraud investigators come a-knocking, admitting that you share passwords between staff will get you that exasperated look. Worse than that, your chances of finding out who was responsible for that breach will be slim to none, and the guilty party (if challenged) will have an excellent defence that it wasn’t them. If you’re the QSA company that gave them the positive assessment, you may well find some unwelcome attention from the PCI Security Standards Council, and quite rightly so. (They don’t call it a “critical violation” for nothing).
And why did I call them Eckgle? Well, that’s the noise I made in the back of my throat when I heard about this, and I expect that you just did too.