Consumer Security

TECH BLOG

Breaches Make a Mockery of PCI Security Standards

The restaurant-slash-arcade-slash-bar Dave & Buster’s is the latest U.S. outlet to suffer a breach of its credit card processing system.

Hackers based in Ukraine and Estonia — assisted by a guy in Miami — installed packet sniffer malware at the point of sale systems in several D&B outlets, which siphoned off “Track 2” data as the information was being transmitted over the company’s network from the point of sale server to a data processor’s server, the U.S. Department of Justice said.

Track 2 on a card’s magnetic stripe contains the credit card number and expiration date, but no personally identifiable information.

At one restaurant, the packet sniffer captured 5,000 credit and debit card numbers, which were used to make US$600,000 in fraudulent purchases.

Relatively Small Breach

The scale of the breach is relatively small, at least at this point in the investigation. The Justice Department says the packet sniffer was installed at 11 locations, so a little simple math would tell us that 55,000 cards were compromised for a total fraud of about $6.6 million, assuming the one store for which the government provided figures is a good indication.

The grocery chain Hannaford ultimately determined that malware was to blame for its data breach, which came to light a few months ago. In that case, 4.2 million credit card numbers were compromised.

In the largest breach to date, TJX — the parent of Marshall’s and T.J. Maxx — had to pay nearly $45 million to MasterCard and Visa to reimburse those companies for the costs of the breach, which resulted in the exposure of 45.7 million customers’ card numbers.

Look for an Increase

Of course, in both the Hannaford and TJX cases, the initial estimates of the number of accounts compromised were tiny in comparison to the final figures, so stay tuned and watch the numbers go up in this case.

All three of these companies — Dave & Buster’s, Hannaford and TJX — are large corporations with big IT departments and their own armies of lawyers. All are subject to the Payment Card Industry Data Security Standard, a dozen requirements that mandate a level of security in processing credit card payments.

The standard is administered by a consortium of credit card issuers, including MasterCard, Visa and American Express. Outlets that are found to be out of compliance can lose their ability to process credit and debit payments, or they can be fined.

Hannaford, for one, stated specifically that it had been in compliance with PCI standards at the time its breach happened.

New Standard Needed

PCI is a fairly basic set of rules that anyone who’s going to be handling other people’s credit card data should follow — whether or not there’s a standard in place. Its provisions include maintaining a firewall and unique user names for everyone who accesses the system, for example.

Perhaps it’s time for a PCI upgrade. Criminals are getting smarter and craftier, and the people who try to prevent criminals from committing crimes need to be just as agile.

The PCI standards are getting a bit stale, Jim Dempsey, vice president for public policy for the Washington-based Center for Democracy and Technology, told the E-Commerce Times in March.

“[The Hannaford case] certainly illustrates that, and I can’t blame the credit card industry,” Dempsey commented. “I think they did the right thing. They developed a set of standards that seemed appropriate at the time and did serve undeniably to raise the bar. Now, though, as part of the normal security cycle — and you need to think of it as a cycle — the credit card companies, the issuing banks and the merchants need to reassess [and] basically issue a revised and strengthened standard.”

It sure beats paying for credit monitoring for millions of your customers.

2 Comments

  • Jason, from what I have seen it is a long time coming, most organizations, enterprises will not even make this years cut-off date.

    The flip side is, being PCI compliant does not at all mean you are secure. If we build our security based on the current standard (ISO27001/ISO27002), which itself is "always" updated,then we are all that much better off.

    Simply stating "we were compliant" at the time of the compromise is similiar to "we are 100 percent secure against any/all vulnerabilities" Neither statement is ever true in todays rapid changing technology.

  • The PCI is not a "fairly basic set of rules" it’s a relatively strict standard if followed properly. But, the problem lies in how the standard is applied and AUDITED. Auditors can only test what they are told about. If these data breaches were more closely examined I think you would find that either the auditor is not being told everything, or, as soon as they leave all attempts to comply with PCI go out the window under operational pressures. Since IT is often not seen as a "revenue producer" by the business side (which of course makes no sense) many IT managers have to fight to get resources they need to continue meeting the standard on a day to day basis. If the standard is made tougher, that’s only going to force more companies into a position of rolling the dice by covering up problems, even more so than they are right now.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels