Financial Security: Priceless

The recent security breach at MasterCard should serve as a technology wakeup call to the rest of the financial services industry about the use of third-party suppliers, according to an IT research firm.

While major financial services players often make security a priority, this is not necessarily the case with contractors that handle much of their work, according to Info-Tech Research Group (see Info-Tech: Card Breach Law Limits).

I think they need to look at their [suppliers’] infrastructure [and ask] are they using encryption at all levels and certifying employees that get access to the data,” says Carmi Levy, senior research analyst at Info-Tech.

The problems at MasterCard’s partner, CardSystems Solutions Inc., are just the latest in a string of high-profile IT security breaches. Others include headline-hitting data privacy breaks involving ChoicePoint and LexisNexis (see Don't Be a Data Privacy Dunce and CardSystems Responds to Security Incident).

One element of these woes emanates from regulatory loopholes. Much of the broader financial services sector is not subject to the same stringent security regulations, as say, the banking industry. As a result, financial services firms, particularly credit card companies, need to toughen up their act when it comes to dealing with their third-party suppliers.Levy also urges the financial services sector to examine how their suppliers handle data leakage and to find out whether there are data logs available for review. “There needs to be more rigidity in tracking and logging data so that any future holes or vulnerabilities can be identified and blocked,” he says.

But the analyst warns users not to rely on just one technology to bolster their security story. “You can’t just spend on one technology, it needs to be multi-tiered,” Levy tells NDCF. This should include the likes of encryption, perimeter-based protection such as firewalls, logging technologies, and also employee training, he adds.

Longer term, Levy advocates more coordinated legislation. At the moment, for instance, there are separate pieces of U.S. government legislation that address privacy in different sectors, such as the Gramm-Leachy-Bliley Act in finance and the Health Insurance Portability and Accountability Act (HIPAA) in healthcare. “This needs to transcend any one department, it needs to transcend any one sector,” Levy says. “I don’t think you can look at any one piece of legislation and expect that to be the panacea for the crisis that we face.”

MasterCard was unavailable for comment on this story.

— James Rogers, Site Editor, Next-Gen Data Center Forum0