The largest identity theft incident in US
history involving nine major retailers highlights the vital need to
comply with payment card security standards. Bob Russo, GM of the
PCI security standards council provided EPI with insight into the
daunting challenge of ensuring compliance. Charles Davis
reports.
history involving nine major retailers highlights the vital need to
comply with payment card security standards. Bob Russo, GM of the
PCI security standards council provided EPI with insight into the
daunting challenge of ensuring compliance. Charles Davis
reports.
In the wake of the spectacular fraud bust – in
which 11 perpetrators allegedly hacked nine major US retailers and
stole more than 40 million credit and debit card numbers – no one
needs reminding of the importance of the Payment Card Industry Data
Security Standard (PCIDS). What is unclear is whether the standard,
as currently constituted, is the failsafe solution in a world that
keeps generating smarter criminals.
which 11 perpetrators allegedly hacked nine major US retailers and
stole more than 40 million credit and debit card numbers – no one
needs reminding of the importance of the Payment Card Industry Data
Security Standard (PCIDS). What is unclear is whether the standard,
as currently constituted, is the failsafe solution in a world that
keeps generating smarter criminals.
The incidents in which the defendants – hailing
from Estonia, Belarus, Ukraine and China – found wireless access
points to steal credit and debit card numbers date to 2003, and
involve dozens of retailers and issuers. The scheme is believed to
constitute the largest hacking and identity theft case ever
prosecuted by the US Department of Justice.
from Estonia, Belarus, Ukraine and China – found wireless access
points to steal credit and debit card numbers date to 2003, and
involve dozens of retailers and issuers. The scheme is believed to
constitute the largest hacking and identity theft case ever
prosecuted by the US Department of Justice.
The indictment alleges that during the course
of the sophisticated conspiracy, the gang obtained the credit and
debit card numbers by wardriving (using a detection device in a
moving vehicle to search for a wi-fi signal) and hacking into the
wireless computer networks of major retailers – including TJX
Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes
& Noble, Sports Authority, Forever 21 and DSW.
of the sophisticated conspiracy, the gang obtained the credit and
debit card numbers by wardriving (using a detection device in a
moving vehicle to search for a wi-fi signal) and hacking into the
wireless computer networks of major retailers – including TJX
Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes
& Noble, Sports Authority, Forever 21 and DSW.
Once inside the networks, they installed
‘sniffer’ programmes to capture card numbers, as well as password
and account information, as they moved through the retailers’
credit and debit processing networks.
‘sniffer’ programmes to capture card numbers, as well as password
and account information, as they moved through the retailers’
credit and debit processing networks.
The indictment alleges that after they
collected the data, the conspirators concealed the data in
encrypted computer servers they controlled in Eastern Europe and
the US. They allegedly sold some of the credit and debit card
numbers, via the internet, to other criminals in the US and Eastern
Europe.
collected the data, the conspirators concealed the data in
encrypted computer servers they controlled in Eastern Europe and
the US. They allegedly sold some of the credit and debit card
numbers, via the internet, to other criminals in the US and Eastern
Europe.
The stolen numbers were ‘cashed out’ by
encoding card numbers on the magnetic strips of blank cards. The
defendants then used these cards to withdraw tens of thousands of
dollars at a time from ATMs. The defendants were allegedly able to
conceal and launder their fraud proceeds by using anonymous
internet-based currencies both within the US and abroad, and by
channeling funds through bank accounts in Eastern Europe.
encoding card numbers on the magnetic strips of blank cards. The
defendants then used these cards to withdraw tens of thousands of
dollars at a time from ATMs. The defendants were allegedly able to
conceal and launder their fraud proceeds by using anonymous
internet-based currencies both within the US and abroad, and by
channeling funds through bank accounts in Eastern Europe.
The level of sophistication on display has many
in the payments world recommitting resources – quickly – to PCIDS
compliance, after years of grumbling by retailers the standard was
too costly to implement. And PCIDS standards gurus will no doubt
unveil new adaptations to the rules, ushering in a whole new round
of compliance work.
in the payments world recommitting resources – quickly – to PCIDS
compliance, after years of grumbling by retailers the standard was
too costly to implement. And PCIDS standards gurus will no doubt
unveil new adaptations to the rules, ushering in a whole new round
of compliance work.
If the TJX case didn’t capture the attention of
the payments industry, then a March 2008 event that escaped the
attention of most of the world’s press should have.
the payments industry, then a March 2008 event that escaped the
attention of most of the world’s press should have.
Stunning breach
Go deeper with GlobalData
Hannaford Bros, a relatively small grocer in Scarborough, Maine,
stunned the retail world when it announced that a data breach at
the checkout lanes of its stores had exposed 4.2 million credit and
debit cards to fraudulent misuse. About 1,800 cases of actual card
fraud were linked to the breach.
There is nothing shocking about a data breach
these days. What was truly nerve-rattling about this breach was
that it occurred despite Hannaford’s compliance with PCI DS. That’s
right: Hannaford was in compliance already, and yet a sliver of a
card processing problem – the grocer discovered that malware
installed on its store servers was able to gather credit card
numbers as the data was being transmitted from the card-swipe PIN
pad across its private network to its centralised payment switch –
cost it dearly.
these days. What was truly nerve-rattling about this breach was
that it occurred despite Hannaford’s compliance with PCI DS. That’s
right: Hannaford was in compliance already, and yet a sliver of a
card processing problem – the grocer discovered that malware
installed on its store servers was able to gather credit card
numbers as the data was being transmitted from the card-swipe PIN
pad across its private network to its centralised payment switch –
cost it dearly.
Now Hannaford’s customer card data is encrypted
from the PIN pad onward, a move in excess of the standards, which
require encryption for data in transit on public networks but not
on private ones.
from the PIN pad onward, a move in excess of the standards, which
require encryption for data in transit on public networks but not
on private ones.
VeriFone, in concert with Semtek, introduced a
data security system, VeriShield Protect, designed to prevent the
kind of data breach that Hannaford experienced. Using an encryption
process called H (hidden)-TDES, the system encrypts card data as
soon as the card is slid through the magnetic stripe reader. When
the data reaches its destination, such as at an acquirer bank or
the merchant’s headquarters, it is decrypted via a host security
module.
data security system, VeriShield Protect, designed to prevent the
kind of data breach that Hannaford experienced. Using an encryption
process called H (hidden)-TDES, the system encrypts card data as
soon as the card is slid through the magnetic stripe reader. When
the data reaches its destination, such as at an acquirer bank or
the merchant’s headquarters, it is decrypted via a host security
module.
The huge attention paid to these breaches has
renewed interest in the industry’s security standard, a set of best
practices in the technical security of data which has recently
undergone the latest in what Bob Russo, general manager of the
Payment Card Industry’s security standards council, described to
EPI as an “ever-evolving set of practices”.
renewed interest in the industry’s security standard, a set of best
practices in the technical security of data which has recently
undergone the latest in what Bob Russo, general manager of the
Payment Card Industry’s security standards council, described to
EPI as an “ever-evolving set of practices”.
The security council is tracking to a two-year
life cycle, incorporating feedback and some 2,500 questions from
participants that have factored into the process. The release of
Standard 1.2 encapsulates many changes, including the assessment of
scope (the definition of the technology that touches the credit
card data) and is mostly clarifications of the older standard, free
from any new requirements, Russo said.
life cycle, incorporating feedback and some 2,500 questions from
participants that have factored into the process. The release of
Standard 1.2 encapsulates many changes, including the assessment of
scope (the definition of the technology that touches the credit
card data) and is mostly clarifications of the older standard, free
from any new requirements, Russo said.
“Who wants to be the next person you read about
in the Wall Street Journal?” he asked. “Until today, I have not
seen a breach where the merchant was compliant. So it is
accompanied by a wave of interest in compliance each time.”
in the Wall Street Journal?” he asked. “Until today, I have not
seen a breach where the merchant was compliant. So it is
accompanied by a wave of interest in compliance each time.”
Russo said that consumer interest in security
is quickly growing, and as it does, the merchant base has little
choice but to embrace PCIDS.
is quickly growing, and as it does, the merchant base has little
choice but to embrace PCIDS.
“I can’t control what the brands do and how
they accept credit cards or what technology is coming onto the
market, so what we can do in the meantime is deal with the existing
infrastructure in a way that best protects consumers and
merchants,” he added.
they accept credit cards or what technology is coming onto the
market, so what we can do in the meantime is deal with the existing
infrastructure in a way that best protects consumers and
merchants,” he added.
“It is a moving target, and the bad guys just
keep on keeping on, but compliance is the safest route.”
keep on keeping on, but compliance is the safest route.”
Russo said the council is reaching out to
smaller retailers to raise awareness.
smaller retailers to raise awareness.
“You can imagine how hard it is getting so many
different types of retailers compliant,” he said. “A pizza guy who
only takes orders by telephone does not store any data and because
everything is outsourced has different security issues compared to
other retailers.”
different types of retailers compliant,” he said. “A pizza guy who
only takes orders by telephone does not store any data and because
everything is outsourced has different security issues compared to
other retailers.”
Ultimately, retailers must understand that
remaining compliant is an ongoing process and that data security
requires retailers to be on top of things all the time, he added.
The standards will surely evolve over time as fraudsters find new
ways to infect the process, Russo said.
remaining compliant is an ongoing process and that data security
requires retailers to be on top of things all the time, he added.
The standards will surely evolve over time as fraudsters find new
ways to infect the process, Russo said.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Company Profile – free
sample
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData
