history involving nine major retailers highlights the vital need to
comply with payment card security standards. Bob Russo, GM of the
PCI security standards council provided EPI with insight into the
daunting challenge of ensuring compliance. Charles Davis
which 11 perpetrators allegedly hacked nine major US retailers and
stole more than 40 million credit and debit card numbers – no one
needs reminding of the importance of the Payment Card Industry Data
Security Standard (PCIDS). What is unclear is whether the standard,
as currently constituted, is the failsafe solution in a world that
keeps generating smarter criminals.
from Estonia, Belarus, Ukraine and China – found wireless access
points to steal credit and debit card numbers date to 2003, and
involve dozens of retailers and issuers. The scheme is believed to
constitute the largest hacking and identity theft case ever
prosecuted by the US Department of Justice.
of the sophisticated conspiracy, the gang obtained the credit and
debit card numbers by wardriving (using a detection device in a
moving vehicle to search for a wi-fi signal) and hacking into the
wireless computer networks of major retailers – including TJX
Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes
& Noble, Sports Authority, Forever 21 and DSW.
‘sniffer’ programmes to capture card numbers, as well as password
and account information, as they moved through the retailers’
credit and debit processing networks.
collected the data, the conspirators concealed the data in
encrypted computer servers they controlled in Eastern Europe and
the US. They allegedly sold some of the credit and debit card
numbers, via the internet, to other criminals in the US and Eastern
encoding card numbers on the magnetic strips of blank cards. The
defendants then used these cards to withdraw tens of thousands of
dollars at a time from ATMs. The defendants were allegedly able to
conceal and launder their fraud proceeds by using anonymous
internet-based currencies both within the US and abroad, and by
channeling funds through bank accounts in Eastern Europe.
in the payments world recommitting resources – quickly – to PCIDS
compliance, after years of grumbling by retailers the standard was
too costly to implement. And PCIDS standards gurus will no doubt
unveil new adaptations to the rules, ushering in a whole new round
of compliance work.
the payments industry, then a March 2008 event that escaped the
attention of most of the world’s press should have.
Hannaford Bros, a relatively small grocer in Scarborough, Maine,
stunned the retail world when it announced that a data breach at
the checkout lanes of its stores had exposed 4.2 million credit and
debit cards to fraudulent misuse. About 1,800 cases of actual card
fraud were linked to the breach.
these days. What was truly nerve-rattling about this breach was
that it occurred despite Hannaford’s compliance with PCI DS. That’s
right: Hannaford was in compliance already, and yet a sliver of a
card processing problem – the grocer discovered that malware
installed on its store servers was able to gather credit card
numbers as the data was being transmitted from the card-swipe PIN
pad across its private network to its centralised payment switch –
cost it dearly.
from the PIN pad onward, a move in excess of the standards, which
require encryption for data in transit on public networks but not
on private ones.
data security system, VeriShield Protect, designed to prevent the
kind of data breach that Hannaford experienced. Using an encryption
process called H (hidden)-TDES, the system encrypts card data as
soon as the card is slid through the magnetic stripe reader. When
the data reaches its destination, such as at an acquirer bank or
the merchant’s headquarters, it is decrypted via a host security
renewed interest in the industry’s security standard, a set of best
practices in the technical security of data which has recently
undergone the latest in what Bob Russo, general manager of the
Payment Card Industry’s security standards council, described to
EPI as an “ever-evolving set of practices”.
life cycle, incorporating feedback and some 2,500 questions from
participants that have factored into the process. The release of
Standard 1.2 encapsulates many changes, including the assessment of
scope (the definition of the technology that touches the credit
card data) and is mostly clarifications of the older standard, free
from any new requirements, Russo said.
in the Wall Street Journal?” he asked. “Until today, I have not
seen a breach where the merchant was compliant. So it is
accompanied by a wave of interest in compliance each time.”
is quickly growing, and as it does, the merchant base has little
choice but to embrace PCIDS.
they accept credit cards or what technology is coming onto the
market, so what we can do in the meantime is deal with the existing
infrastructure in a way that best protects consumers and
merchants,” he added.
keep on keeping on, but compliance is the safest route.”
smaller retailers to raise awareness.
different types of retailers compliant,” he said. “A pizza guy who
only takes orders by telephone does not store any data and because
everything is outsourced has different security issues compared to
remaining compliant is an ongoing process and that data security
requires retailers to be on top of things all the time, he added.
The standards will surely evolve over time as fraudsters find new
ways to infect the process, Russo said.