The very cleverly titled story on CSO Online “Barclays Contactless Card Users Exposed to Fraud” appears to suggest that Barclay Card’s Near Field Communication (NFC) cards are ‘vulnerable’ as the data is stored ‘unencrypted’. According to the story, using an NFC enabled smartphone, ViaForensics was able to capture the NFC data from the card. This data was subsequently used to make purchases through several merchants that were not using required fraud controls.
When asked, Barclays stated that they were “in compliance with card brand rules for contactless payments.” This is an accurate statement. As detailed by Barclays: "This is not an issue with contactless but with the checks undertaken for 'card not present' payments by some retailers.” Both statements are accurate. Is this a case of “you say tomato, I say to-mah-to?” Not really. One painful lesson that many companies have learned is that compliance and security are not synonymous.
Compliance with any standard does not mean a company’s security is appropriate, or commensurate with the size and complexity of the environment or the data resident therein. In today’s environment of hyper-regulation, it is easy to get caught up in the “checkbox” mentality. But for those that are obligated to comply with PCI DSS, HIPAA/HITECH, state data breach notification laws, or any other standard, it is important to remember that these mandates represent a minimum standard of protection.
A second point to be taken from the story is that a company that is compliant with a security standard can still have the accusatory finger pointed at them for perceived deficiencies. The main point of the article is that the data taken from the card was ‘unencrypted’. It is unfortunate, but although Barclays is in compliance with the requirements for NFC, the fact that the data was ‘unencrypted’ was enough to cause the security vendor and the journalist attempt to point the finger at the company and not the paradigm within which the company must work. It is always advisable to go beyond compliance. Even without a data breach, there is risk that your company could be accused of ‘insecure’ yet ‘compliant’ behavior.