USA Today: PCI rules could help stymie Target data thieves
USA Today | December 23, 2013
By Byron Acohido
Target’s massive databreach took place just a few weeks before a set of payment card industry standards – known as PCI DSS 3.0 – were scheduled to go into effect. CyberTruth asked Nick Aceto, technology director at software vendor CardConnect, to supply some clarity.
CT: What does this latest databreach tell us about the efficacy of PCI?
Aceto: We can’t say definitely that this breach is a failure of Target’s PCI compliance, but based on what Target has said, it’s very hard to believe that they were even PCI 2.0 compliant at the time of the breach.
A reason for thinking this is that the attack, involving an enormous amount of data, went on essentially unnoticed for 18 days. How were they not watching the network?
One of the PCI DSS requirements is that you monitor your logs and firewalls every day, looking for unusual activity. This monitoring involves file integrity checks and changes to critical systems files. What’s more – the chapter 6 software development life cycle requires the secure distribution and verification of payment applications.
Unusual activity isn’t always abnormal, but the point of PCI is to monitor and verify that all activity is normal, while not letting distractions – like busy shopping days Black Friday and Cyber Monday, on which the breach occurred – detract from the monitoring effort.
CT: The PCI standards are about to be upgraded; how might that help deter fraud, moving forward?
Aceto: One requirement under PCI DSS 3.0 is that merchants must evaluate malware threats for all platforms. It used to be that you just had to evaluate malware threats against platforms that were common malware victims.
Now, in 3.0, merchants must identify malware threats for all platforms, from tablets all the way up to their in-store swipe terminals. Had Target implemented this 3.0 step, it might have helped to better anticipate or detect the attack.
Another change in 3.0 is that a risk assessment must be performed for any significant change to the cardholder environment, which obviously includes the POS network. Somehow, additional software was introduced to Target’s network.
CT: What metric or anecdote conveys America’s heavy use of mag stripe cards—and comparatively light use of chip cards?
Aceto: In 2012 Javelin Strategy & Research found that only 10 percent of sales terminals in the U.S. had upgraded to the chip system. Also, of the more than 1 billion credit and debit cards issued in the United States, it is estimated that less than one percent of those cards have chip technology.
Those figures indicate what an enormous overhaul to our economy’s infrastructure is needed for accepting chip-and-PIN payments – the cost is estimated to be $8 billion.
The biggest push to adopting more secure cards is a mandate by Visa, MasterCard, Discover and AmericanExpress that shifts liability for fraudulent transactions to merchants if they do not support EMV.
Unfortunately, that won’t take place until October 2015, and not until October 2017 for gas stations. Even once this shift goes into effect, only 60 percent of sales terminals will have upgraded to the chip system.
EMV cards are much harder and more costly to duplicate. But chip-and-PIN cards would not have protected the card data in a breach similar to Target’s. The whole reason the breach occurred was because the vulnerability existed within Target’s POS. Had Target employed encryption upon the card swipe, the data siphoned would have been meaningless.
Click here to read this article on USA Today.
