The Green Sheet Online Edition
January 13, 2014 • Issue 14:01:01
Does Target breach show PCI not reaching merchants?
Editor's Note: For further coverage of the Target breach, as well as other news stories, please visit the Breaking Industry News section at our home page, www.greensheet.com.
Target Brands Inc. confirmed Dec. 19, 2013, that its U.S. stores were the source of a nationwide fraud scheme perpetrated between Nov. 27 and Dec. 15, 2013. Target reported that approximately 40 million credit and debit card accounts may have been breached in the attack.
The retailer said it is working with law enforcement and has contracted with a third-party fraud examiner on the investigation into the incident.
Meanwhile, a payments industry expert told The Green Sheet that the Target breach shows that security weaknesses are largely a problem of retailers, not back-end payment providers. Therefore, the anonymous source said the PCI Security Standards Council (PCI SSC), which promulgates the Payment Card Industry Data Security Standard (PCI DSS) and related security standards for the entire payments and merchant ecosystem, needs to focus more on the retail sector.
The PCI SSC and the card brands need to realize "that once again this is a retail breach," the source said. "This is a big-box store, just like T.J. Maxx got breached. This is not your online stores. This is not your payment gateways. This is not the usual entities that they go after when something like this happens.
"Clearly PCI and its program is not properly set up for the retail location. And what they really need to do is stop basically bullying companies like us."
The Black Friday breach
The breach was first reported by security reporter Brian Krebs on Dec. 18, 2013. On his blog, KrebsonSecurity, Krebs wrote that the fraud involved brick-and-mortar locations and not Target's e-commerce site.
Visa Inc. and MasterCard Worldwide issued statements to The Green Sheet highlighting that they both offer cardholders zero liability protection against fraudulent purchases. A Visa spokesman said the card brand's cardholder safeguard "is probably the most important and under-reported aspect of this story so far."
Indeed, media reports have focused on the fact that the fraud involved Black Friday - the biggest shopping day of the year. As details of the breach emerge, it may come to rival the sizes of past breaches of TJX Companies Inc. in 2007 and Heartland Payment Systems Inc. in 2009.
The TJX breach, where T.J. Maxx was one of the store chains involved in the compromise, fraudsters stole what was initially estimated at 45 million card numbers, but that figure was later adjusted to include approximately 100 million account numbers.
In that hack, fraudsters exploited a weakness in the retailer's Wi-Fi network to steal data. That breach was considered the largest retail breach in the history of electronic payments.
"PCI, Visa and MasterCard got so paranoid [after the TJX breach] that they basically rewrote PCI compliance and what it means to be PCI compliant," the anonymous source said. "And even though T.J. Maxx was a retailer and had nothing to do with online transactions, every gateway and every entity that was processing credit cards had to now jump through 10 extra hoops of fire just to become PCI compliant."
An inside job?
Until the Target breach was exposed, 2013 has been relatively light when it comes to data breach discoveries. In April 2013, St. Louis-based grocery chain Schnuck Markets Inc. confirmed that approximately 2.4 million credit and debit cards used at 79 of its 100 store locations may have been compromised as a result of a breach of its POS network. The breach reportedly occurred between December 2012 and March 2013.
Another "modest" breach was reported in January 2013 when Athens, Ga.-based restaurant chain Zaxby's Franchising Inc. disclosed that 100 of its locations had been targeted with a malware attack.
But the Target breach was unique because of the scope of the operation in a short, two-and-a-half-week period. In the Heartland breach, in which at least 130 million debit and credit card numbers were stolen by Trojan horse malware secretly installed on Heartland's processing network, the virus had been sitting on the processor's network for an unknown, but extended amount of time.
Additionally, it would take some time for fraudsters to steal millions of T.J. Maxx customers' card numbers via "sniffing" the retailer's Wi-Fi network from the parking lot, the source noted. Comparatively, the Target breach was lightning quick. The coordination and depth of the attack led the source to speculate that it was an inside job.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.