Friday, December 20, 2013
Meanwhile, a payments industry expert told The Green Sheet that the Target breach shows once again that security weaknesses are largely a problem of retailers, not back-end payment providers. Therefore, the anonymous source said the PCI Security Standards Council (PCI SSC), which promulgates the Payment Card Industry Data Security Standard (PCI DSS) and related security standards for the entire payments and merchant ecosystem, needs to focus more on where the security vulnerabilities exist − in the retail sector.
The PCI SSC and the card brands need to realize "that once again this is a retail breach," the source said. "This is a big-box store, just like T.J. Maxx got breached. This is not your online stores. This is not your payment gateways. This is not the usual entities that they go after when something like this happens.
"Clearly PCI and its program is not properly set up for the retail location. And what they really need to do is stop basically bullying companies like us. And they need to look at the other side of credit card processing, the retail side. And they really need to get on the ball with that instead of punishing companies like us."
The breach was first reported by security reporter Brian Krebs on Dec. 18, 2013. On his blog, KrebsonSecurity, Krebs wrote that the fraud involved brick-and-mortar locations and not Target's e-commerce site. Visa Inc. and MasterCard Worldwide issued statements to The Green Sheet highlighting that they both offer their cardholders zero liability protection against fraudulent purchases. A Visa spokesman said the card brand's cardholder safeguard "is probably the most important and under-reported aspect of this story so far."
Indeed, media reports have focused on the fact that the fraud involved Black Friday − the day after Thanksgiving and the biggest shopping day of the year. As details of the breach emerge, it may come to rival the sizes of past breaches to TJX Companies Inc. in 2007 and Heartland Payment Systems Inc. in 2009.
The TJX breach, where T.J. Maxx was one of the store chains involved in the compromise, fraudsters stole what was initially estimated at 45 million card numbers, but that figure was later more than doubled and thus approached 100 million bankcard account numbers. In that hack, the fraudsters exploited a weakness in the retailer's Wi-Fi network to steal the data. In the wake of that breach, considered the largest retail breach in the history of electronic payments, the PCI SSC and the brands panicked, according to the source.
"PCI, Visa and MasterCard got so paranoid that they basically rewrote PCI compliance and what it means to be PCI complaint," the source said. "And even through T.J. Maxx was a retailer and had nothing to do with online transactions, every gateway and every entity that was processing credit cards had to now jump through 10 extra hoops of fire just to become PCI compliant."
But now that another retailer has been the focus of a major breach, data security is "back to square one," the source added.
Until the Target breach was exposed, 2013 has been relatively light when it comes to data breach discoveries. In April 2013, St. Louis-based grocery chain Schnuck Markets Inc. confirmed that approximately 2.4 million credit and debit cards used at 79 of its 100 store locations may have been compromised as a result of a breach of its POS network. The breach reportedly occurred between December 2012 and March 2013.
Another "modest" breach was reported in January 2013 when Athens, Ga.-based restaurant chain Zaxby's Franchising Inc. disclosed that 100 of its locations had been targeted with a malware attack.
But the Target breach was unique because of the scope of the operation in a short, two-and-a-half-week period. In the Heartland breach, in which at least 130 million debit and credit card numbers were stolen by Trojan horse malware secretly installed on Heartland's processing network, the virus had been sitting on the processor's network for an unknown but obviously extended amount of time, the source said.
Additionally, it would take some time for fraudsters to steal millions of card numbers of T.J. Maxx customers by fraudsters "sniffing" the retailer's Wi-Fi network from the parking lot, the source noted. Compared to both major breaches, the Target breach was lightning quick. The coordination and depth of the attack led the source to speculate that the breach was an inside job.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.