GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

What will be in merchants' stockings this year - caviar or coal?

News

Industry Update

Farewell PABP, hello PA DSS

Visa, AmEx settlement no biggie for merchants

More public steps for bankcard heavyweights

Optimal socked by Internet gambling regs

Go international in real-time

It sings, it instructs, it's a gift card

Mobile checkout moving up

Features

Data breaches pique interest

Travis K. Kircher
ATMMarketplace.com

Growing on the 'Inside'

Views

Art imitates life or does life imitate art?

Patti Murphy
The Takoma Group

Stay ahead with a checklist

Biff Matthews
CardWare International

Education

Street SmartsSM:
We're all in the PCI loop, like it or not

Dee Karawadra
Impact PaySystem

What to watch in the coming months

Rob Drozdowski
Electronic Transactions Association

Using e-mail effectively: Copy and design

Nancy Drexler
Marketing Moguls

Security breaches costly to all

David Mertz
Compliance Security Partners LLC

Turning negatives into positives

Steve Schwimmer
Renaissance Merchant Services

Opportunity knocks at your online door

Curt Hensley
CSH Consulting Inc.

Liability limbo: Where will you land?

Adam Atlas
Attorney at Law

Company Profile

FirstView Financial LLC

Commerciant

New Products

A cherry of a keyboard

Cherry LPOS Qwerty Keyboard
Cherry Corp.

Sign on the dotted line - online

ContractPal
ContractPal Inc.

Inspiration

Holiday survival guide

Miscellaneous

POScript

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

November 26, 2007  •  Issue 07:11:02

previous next

Security breaches costly to all

By David Mertz

A captivating article came across my desk this week. It had to do with The TJX Companies Inc. and its security breach, which was first reported in the fourth quarter of 2006.

This news is relevant to every ISO and acquiring bank - both for what has happened at TJX (the parent company of TJ Maxx and Marshalls stores) as well as its acquiring bank.

About a year ago, we learned TJX had experienced a significant security breach. Initial reports placed the number of compromised payment cards at over 40 million, not to mention checking account numbers, driver's license numbers and much more.

From this article, I learned the actual number of compromised card numbers was not 40 million - it was more than 94 million. Without a doubt, this is the largest theft of payment card data and personal identity information in U.S. history.

Hacking process

Let's review what happened at TJX and then look at what may be the most intriguing part for acquirers - the actions taken by Visa Inc. against the acquiring bank. How did the security breach happen? While we do not know everything, we are learning more as leaks appear in the press.

At TJX, the culprits sat outside the store in a car with a boom antenna collecting the information being broadcast by the wireless network until they gathered enough to gain access to the store's computer systems. Wireless networks are fundamentally a number of PCs equipped with a radio receiver/transmitter grouped around a wireless access point that coordinates the transmission of data among the PCS and the Internet.

The wireless access point broadcasts the data through the air to all PCs with wireless transmitters/receivers within proximity to the broadcast point - whether or not they are authorized to receive the data.

If the broadcast is not secured through encryption of the data and authentication of the PC, anyone can intercept the communication. And, if the encryption method being used has been compromised, it is no more secure than a transmission with no encryption at all.

Furthermore, InformationWeek reported kiosks used by potential employees to submit job applications in various stores were not securely attached to TJX's network.

The thieves loaded the information on computers, allowing them complete control and access.

This is no different than opening up a malicious Web site or e-mail and having software downloaded to your computer that allows a remote user to discover what is on your hard drive and use the resources to attack other networks. This is commonly referred to as spyware or malware.

It is believed the thieves inside TJX's network were undetected for approximately 18 months. During this time, they downloaded the database - multiple times. It stored the card numbers, social security numbers, checking account numbers and so forth.

It appears to have been a multifaceted attack targeting security vulnerabilities at TJX stores, unprotected wireless networks and unsecured store kiosks.

According to a story in The Wall Street Journal, the people behind the TJX security breach discovered a Marshalls' store in St. Paul, Minn., with a wireless network secured using Wired Equivalent Privacy (WEP) - an encryption method that was cracked in 2001.

I did some additional research and discovered WEP can be cracked - even with the strongest 104 bit encryption and rotating encryption keys - in about one minute using tools that can be found on the Internet and a reasonably powerful laptop.

This begs the question: Why is WEP still allowable under the Payment Card Industry (PCI) Data Security Standard (DSS) section 1.1?

Not up to standard

As evidenced by the wireless network, TJX was not PCI compliant. Just a few of its PCI deficiencies included the following:

At the worst, PCI compliance violations would most likely cost an organization the size of TJX $2 million to $3 million. Instead of doing what was required by the PCI DSS, it ignored the standard and incurred expenses as of its last 10-Q form (used for quarterly reports) filing of more $100 million related to its security breach. And, when all costs attributable to the security breach are finally tallied, it is estimated TJX will spend between $1 billion to $4 billion in recovery. Wasn't there a commercial that stated you can pay me now or pay me later?

ISOs, beware

While all this was interesting - and disturbing - it was not the most important piece of information in the article for the acquiring community. Rather, it was the fine Visa assessed to TJX's acquiring bank.

Visa fined Ohio-based Fifth Third bank $880,000 for not pushing TJX to be PCI compliant.

This is a warning shot fired across the bow of every acquiring bank and ISO. If you have a merchant with a significant security breach due to noncompliance, fines could be coming your way.

What compounds all this is what happened this past summer with the card Associations wanting acquiring ISOs and acquiring banks to complete both plans for PCI compliance and training for their level 3 and level 4 merchants.

What happens to the acquirer that has a PCI compliant merchant with a security breach? What types of fines will the acquirer receive from Visa? Where is the acquirer's safe harbor from the card Associations?

How will the card Associations respond to security breaches from these merchants and/or service providers? It will be an interesting winter and spring as we wait to find out.

David Mertz is the founding partner of Compliance Security Partners LLC. He has spent the last four years working with merchants and service providers to meet PCI DSS compliance. For more information, e-mail dave@csp-mw.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems