e-Path Introduces CDU Security Initiative

[e-Path]

Hello e-commertalk.com.au community,

In October 2009 e-Path introduced CDU (Critical Data Unplugged).

How CDU started
e-Path was convinced of the critical and urgent need to clearly and accurately identify ourselves as a manual payment gateway that did not permanently store highly sensitive credit card and identity data in our online gateway systems after the publicity generated over recent massive security breaches involving externally audited PCI compliant credit card payment processors in the U.S. and elsewhere. One of which resulted in the largest security breach in the history of e-commerce where many tens of millions of credit card details were compromised.

e-Path is not a real time credit card payment gateway, we are not a credit card payment processor and we do not permanently store sensitive credit card and identity data within our online gateway systems - we do not belong in the above category.

e-Path is a new generation manual credit card payment gateway where online consumers can pay by credit card and their credit card and identity details will never be permanently stored online somewhere by the payment gateway. Instead, card details are guaranteed to only be processed by the official bank approved merchant account owner just as they would be when you or I pay by credit card in the real physical world.

Why the CDU message is now very urgent
Of all the recent cases involving the direct theft of enormous numbers of permanently stored credit card and identity details from online storage systems of credit card payment processing companies, not one would have occurred had e-Path been the payment gateway because no credit card or identity data would have existed permanently stored online in the first place.

Had cardholders been aware of there being a safer alternative to pay by credit card it may have resulted in them choosing the safer alternative which would have directly resulted in their credit card and identity details not being available to those hackers and cyber criminals responsible for the breaches in the first place.

As hacking technology and cyber criminals become more proficient at breaching even the highest levels of security defences, it is vital the message of CDU gets into the public arena as quickly as possible.

Where did CDU come from?
CDU is a genuine e-Path security initiative but the methodology and message behind CDU has existed from the early days of the internet.

It is about the removal of all sensitive and private information from being permanently stored online or in any internet connected system, storage device, appliance or network in order to terminate any possibility of exposure to online or electronic network risk. This is a practice that has been in place since the beginning of e-commerce and is one that is recognised as an ultimate form of digital information security in the internet connected world - if data doesn't exist it can't possibly be stolen.

If highly sensitive and confidential data, such as credit card and identity data, does not need to be stored online or on any internet connected system or network then it should not be. This advice is explicitly confirmed by countless security standards and regulatory authorities encompassing many key confidential information handling industries. This advice can also be found within the Payment Card Industry Data Security Standards itself.

Now, thanks to e-Path, this is exactly what can occur with your own highly sensitive credit card and identity data - it no longer needs to be permanently stored online.

You have probably heard about the need to ensure critically sensitive data is not unnecessarily stored where it can potentially be put at risk of being compromised. The message is, as we have said, not new. Police and other law enforcement authorities from all over the world impart this and similar advice onto the general public and business communities regularly.

It was this specific, clear and straight forward advice from Police and other law enforcement authorities that became the driving force behind the CDU security initiative.

Is CDU (Critical Data Unplugged) an official security standard?
No. As clearly mentioned on our website e-Path Payment Gateway and in our Payment Gateway Blog, CDU is not an official security standard, it is not enforceable by any authority.

e-Path firmly believes CDU and the message it delivers represents a bold ideal for a safer and more secure future for an internet connected world.

But CDU is not just about ensuring a supreme level of protection for your critically sensitive credit card and identity data, it can and should also be applied to all forms of private and confidential data. CDU practices can easily be adopted, by choice, by people and businesses courageous enough to move away from permanently storing sensitive data on internet connected systems, storage devices and networks in order to afford themselves and their customers with, arguably, by far the most effective data protection practice ever proposed.

e-Path is proud to be one such company.

e-Path hopes that CDU Compliance or similar will one day make its way into mainstream security practices or perhaps even become an official security standard in its own right at some future point, although we are the first to admit this would be unlikely anytime soon.

With the removal of all credit card and identity data from the very environment that is responsible for the overwhelming majority of all credit card and identity data theft in the world today there becomes a real possibility that the majority of credit card fraud could be terminated at the root level. A bold statement indeed but backed up by two very simple and indisputable facts:

1. Credit card data can not possibly be stolen if it doesn't exist.
2. Credit card fraud can not largely exist without stolen credit card data.

e-Path would encourage all persons and organisations to consider adopting CDU security practices by implementing security policies and procedures that actively removes all critically confidential data and information from being stored on any internet connected system, appliance or network when that data does not need to be stored in that manner in the first place.

Risk to critically sensitive and highly confidential information in the age of the internet can be terminated when that information doesn't exist.

CDU - An ultimate data security ideal in the age of the internet.

Thank you

[vco]

Hey e-Path,
This is both good and bad in my eyes. The good being what you are trying to achieve but what you are promoting is about as common sense as you can get.
The bad because its grey. What defines "permanently stored"? Is it data stored longer than three seconds, three minutes, three days or three months? See what I am driving at?
Ok, so your system doesn't permanently store cc data (excellent) but cc data is still captured and hitting your systems.
I am not having a go at you but your CDU thing you have not defined. With PCI everything is defined.
Nothn wrong with the initiative but you need to think about the nitty gritty. There is more to stuff like this than just telling us all what it is all about. If you want people to see it as more than just an e-Path thing put more work into it and create proper parameters and defined it and you could be on to a half decent message the public can relate to for a change.
Chow
Kevin

[fb2010]

Mal you there? Can you repeat that advice about using a secure USB stick to run Outlook Express please.

We have implemented CDU in our small business now. Nothing private is stored on anything connected to the net anymore. But we want to do the same with our email system. Mal gave us advice but it is gone now. Is there any way to get Mal's message back or get Mal in to repeat this please. I sent Mal a PM, can you get him to read it?

Thanks for reading

[PapaTango]

... Is there any way to get Mal's message back or get Mal in to repeat this please.

All posts in those two deleted threads have been saved. I will restore the actual post from Mal you are referring to into this thread for you. Please stand-by.

Thank you

[Mal]

Hello fb2010,

This is the only area left that doesn't make us completely CDU compliant. I want to close this gap.
Any advice would be very welcome.

There is no official security standard known as "CDU" therefore "CDU Compliance" is a self determining standard.

Reason I am not taking issue with this is the company promoting it discloses this fact clearly within their own material on CDU. The other reason is adopting security policies and practices that conform to what they call "CDU" standards can and does deliver what I consider to be an incredibly effective form of protection for any type of private information in any internet connected environment. As Max correctly points out you can't steel information that doesn't exist. It seems sad that common sense has to be given a different name but if it strikes the right chord with the internet user public then all the better.

Back to answering your question. My system is a bit more complex and can not be explained properly through a message in a forum. However I hear what you are trying to achieve.

Take a look at the Iron Key product > https://www.ironkey.com/. This is what I use. Iron Key make the most secure small removable USB storage systems currently available and are U.S. Department of Defence approved. They are available in Australia through DUO International.

If you have Outlook Express you can do this:

1. Insert Iron Key - assuming you have set it up correctly and entered your password to unlock it.
2. Go to Outlook Express > = Tools > Options > select the "Maintenance" tab > click on "Store Folder" button. It will then ask you for the location you want to store all your email folders and emails. Browse to select your Iron Key.

From that moment on all your email folders and all emails sent and received will be stored directly to your Iron Key and your email client remains operating without issue from within your XP operating system. All your emails will be encrypted and nothing will be left resident on your system.

When you remove your Iron Key you remove all email data from your internet connected system - ala "CDU Compliance" if you want to call it that.

You will need to remember to inset your Iron Key each time you want to send and receive email. If Outlook Express is opened without your Iron Key inserted it will default back to the storage location on your system which will contain nothing.

The other option is to run your email client directly from within a virtualisation layer within your Iron Key which is what I do but if its only emails you want protected by not wanting them permanently stored within your system then the way I've described it is a good option, plus all data going into your Iron Key is encrypted as well.

A word of warning - when setting up your Iron Key make sure you record or remember the unlocking password. Just like in "Mission Impossible" any more than 10 failed password attempts and the thing literally self destructs internally and becomes nothing more than an expensive paper weight. I kid you not, it actually physically self destructs.

When setting it up for the first time you can choose either for it to destroy itself if more then ten failed passwords are entered or you can select for it to reset itself in which case all encrypted data will be erased. Either way if you misplace your Iron Key or if it gets stolen nobody will get to your emails or any other confidential data you choose to store in it, unless they either can guess your password within ten attempts or crack the encryption system - the latter of which is not technically impossible but highly unlikely.

Look into it in detail, you can even run your FTP program from inside it too.

Hope this helps.

[e-Path]

Hey e-Path,
This is both good and bad in my eyes ...

Thank you vco for your constructive comments.

You raise a valid point.

In e-Path's case we have yet to see a business owner who does not want to receive their customer's credit card payment. This inbuilt factor guarantees credit card authorisations are received in a timely fashion by the business owner which can be as short as a few minutes between payment being made and being received. Nothing remains on our system after the bank approved merchant account owner has received their customers payment authorisation.

During this period between which payment is made and received by the gateway owner, which we term the 'transporting' stage, all card data is of course encrypted. It is encrypted during entry into our systems and not after.

I believe we are unique in that we create a completely separate and individual encryption system for each and every gateway customer. So, for example, if we had 500 gateway clients there would be 500 completely separate and independent encryption systems in operation. Each gateway client has their own unique system including their own secure URL. Nothing is shared between gateways not even payment and receipt pages, they all have their own, so payment and receipt pages can be customised to look like the source website if required.

Card data for a particular gateway customer is encrypted using only that particular gateway's unique encryption system. Only that particular gateway customer can decrypt data encrypted on their system.

Creating separate and individual encryption systems for every single individual gateway customer goes far beyond PCI requirements where only a single encryption system is expected for all credit card data being handled. As far as we know no other payment gateway service provider creates unique encryption systems per gateway client. This is how the e-Path system was engineered and this more than answers any questions of data security in the sort time it is in our possession.

But this being said you are correct to point out CDU lacks set and clearly defined parameters.

We are currently looking into the feasibility of developing the CDU concept into a set framework, one that has clear and concise parameters. An Australian PCI approved QSA has been asked to consider this task as it could be potential business for such an organisation to where they can assess businesses to determine whether they have CDU practices in place. We are not entirely motivated to go to this extreme length but it is being considered nonetheless.

The basic message to remove critically sensitive data from being permanently stored on any internet connected system, device, appliance or network is a very simple and broad one. Perhaps people will consider its simplicity refreshing. I agree far from perfect but we feel the message if even loosely followed can only result in a tangible positive in improving confidential data security, and this is something that would be universally considered as a very good thing.

Thank you for your comments vco, your interest is much apprecaited.

Best regards

[vco]

Thanks for the expl.
Unique I'll give you that. Dedicated encrypt ea customer, nice.
I could poss take CDU further for you, PM sent, pls chk.
Chow

[fb2010]

Thanks Mal for the advice again.

Just ordered two Iron Keys. They sound totally awesome. What a great way to store stuff offline safely.

Thanks again Mal