The Green Sheet Online Edition
November 26, 2007 • Issue 07:11:02
Security breaches costly to all
A captivating article came across my desk this week. It had to do with The TJX Companies Inc. and its security breach, which was first reported in the fourth quarter of 2006.
This news is relevant to every ISO and acquiring bank - both for what has happened at TJX (the parent company of TJ Maxx and Marshalls stores) as well as its acquiring bank.
About a year ago, we learned TJX had experienced a significant security breach. Initial reports placed the number of compromised payment cards at over 40 million, not to mention checking account numbers, driver's license numbers and much more.
From this article, I learned the actual number of compromised card numbers was not 40 million - it was more than 94 million. Without a doubt, this is the largest theft of payment card data and personal identity information in U.S. history.
Let's review what happened at TJX and then look at what may be the most intriguing part for acquirers - the actions taken by Visa Inc. against the acquiring bank. How did the security breach happen? While we do not know everything, we are learning more as leaks appear in the press.
At TJX, the culprits sat outside the store in a car with a boom antenna collecting the information being broadcast by the wireless network until they gathered enough to gain access to the store's computer systems. Wireless networks are fundamentally a number of PCs equipped with a radio receiver/transmitter grouped around a wireless access point that coordinates the transmission of data among the PCS and the Internet.
The wireless access point broadcasts the data through the air to all PCs with wireless transmitters/receivers within proximity to the broadcast point - whether or not they are authorized to receive the data.
If the broadcast is not secured through encryption of the data and authentication of the PC, anyone can intercept the communication. And, if the encryption method being used has been compromised, it is no more secure than a transmission with no encryption at all.
Furthermore, InformationWeek reported kiosks used by potential employees to submit job applications in various stores were not securely attached to TJX's network.
The thieves loaded the information on computers, allowing them complete control and access.
This is no different than opening up a malicious Web site or e-mail and having software downloaded to your computer that allows a remote user to discover what is on your hard drive and use the resources to attack other networks. This is commonly referred to as spyware or malware.
It is believed the thieves inside TJX's network were undetected for approximately 18 months. During this time, they downloaded the database - multiple times. It stored the card numbers, social security numbers, checking account numbers and so forth.
It appears to have been a multifaceted attack targeting security vulnerabilities at TJX stores, unprotected wireless networks and unsecured store kiosks.
According to a story in The Wall Street Journal, the people behind the TJX security breach discovered a Marshalls' store in St. Paul, Minn., with a wireless network secured using Wired Equivalent Privacy (WEP) - an encryption method that was cracked in 2001.
I did some additional research and discovered WEP can be cracked - even with the strongest 104 bit encryption and rotating encryption keys - in about one minute using tools that can be found on the Internet and a reasonably powerful laptop.
This begs the question: Why is WEP still allowable under the Payment Card Industry (PCI) Data Security Standard (DSS) section 1.1?
Not up to standard
As evidenced by the wireless network, TJX was not PCI compliant. Just a few of its PCI deficiencies included the following:
- Unsecured wireless networks
- Unencrypted card numbers in the database
- TJX stored track data
- Insecure networks
- Failure to annually review encryption methods deployed for security concerns and make necessary adjustments
- Failure to lock down publicly accessible computers
At the worst, PCI compliance violations would most likely cost an organization the size of TJX $2 million to $3 million. Instead of doing what was required by the PCI DSS, it ignored the standard and incurred expenses as of its last 10-Q form (used for quarterly reports) filing of more $100 million related to its security breach.
And, when all costs attributable to the security breach are finally tallied, it is estimated TJX will spend between $1 billion to $4 billion in recovery. Wasn't there a commercial that stated you can pay me now or pay me later?
While all this was interesting - and disturbing - it was not the most important piece of information in the article for the acquiring community. Rather, it was the fine Visa assessed to TJX's acquiring bank.
Visa fined Ohio-based Fifth Third bank $880,000 for not pushing TJX to be PCI compliant.
This is a warning shot fired across the bow of every acquiring bank and ISO. If you have a merchant with a significant security breach due to noncompliance, fines could be coming your way.
What compounds all this is what happened this past summer with the card Associations wanting acquiring ISOs and acquiring banks to complete both plans for PCI compliance and training for their level 3 and level 4 merchants.
What happens to the acquirer that has a PCI compliant merchant with a security breach? What types of fines will the acquirer receive from Visa? Where is the acquirer's safe harbor from the card Associations?
How will the card Associations respond to security breaches from these merchants and/or service providers? It will be an interesting winter and spring as we wait to find out.
David Mertz is the founding partner of Compliance Security Partners LLC. He has spent the last four years working with merchants and service providers to meet PCI DSS compliance. For more information, e-mail firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.