When the retail systems of US convenience store chain Target were successfully attacked and the details of as many as 110 million customers stolen – including financial details – there was one thing the company’s CIO, Beth Jacobs, could fall back on: at least the company was 100 per cent compliant with the Payment Card Industry Data Security Standard (PCI DSS)…
PCI DSS is supposed to be the gold standard for payments security: in essence it requires that debit and credit card numbers are encrypted when they are stored and when they are transmitted, and lays down multiple other onerous rules, together with regular audits.
However, despite all this, in point-of-sale systems that data will be represented in plain text in memory when, for example, someone is making a purchase. And on top of that, most point-of-sale systems today run plain-vanilla Windows – typically Windows XP – which is an environment that malware makers will be intimately familiar with.
Yet despite such glaring flaws, compliance with PCI DSS is onerous and expensive with, as the Target breach proved, no guarantee that it provides sufficient levels of data security where it counts. It has, therefore, drawn much criticism throughout the 10 years since version 1.0 was launched.
Dave Birch, co-founder of Consult Hyperion and a payment industry expert, argues that the expense of implementing and maintaining PCI DSS in the UK alone is so high it may well outweigh the cost of credit card fraud.
“The cost of PCI DSS compliance has turned out to be a cure that’s worse than the disease,” said Birch. “It’s not transparently obvious to me that it makes sense to continue it indefinitely far into the future. I think PCI needs as much of a rethink as the payments security itself does,” he said.
He argues that the payments industry ought to make it harder to use stolen data and that there are other, cheaper, more practical methods that banks ought consider in order to cut the risk of fraud.
“I don’t want my debit card to work in magnetic stripe ATMs or for cardholder-not-present use and, if it was blocked for these transactions, then it wouldn’t matter if criminal gangs got hold of the card number and expiry date,” says Birch.
He continues: “Please Barclays, I couldn’t care less about the picture on my card, but I don’t want a [magnetic] stripe, I don’t want embossing, I don’t want my PAN [permanent account number] printed on the card, I don’t want a signature strip and I don’t want my name, sort code and bank account number shown in the front of the card.
“And why can’t my credit card issuer just drop me a text when my cards are used outside of the UK? Or, for that matter, outside of England? Or, for that matter, at a merchant that I haven’t been to in the last year?” asks Birch.
In recent years, a number of retailers have been subject to attacks. In the US, these include Target, of course, but also Barnes & Noble, Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports, and Michaels Stores – twice in three years, according to reports – and there may well be more that have either gone unnoticed or unreported.
These are only the tip of the iceberg: it is only because of laws in almost all US states requiring organisations to publicly disclose information security lapses that the attacks on US retailers are well known. Outside of the US it is anyone’s guess how many retailers’ point-of-sale systems have been compromised – and how many credit and debit card numbers have been stolen.
In the case of Target, the attackers gained access to, potentially, up to 110 million credit and debit card details by using credentials stolen from a third-party first to gain access to the company’s network.
They then used the BlackPOS toolkit to capture payment card data as it was recorded on the point-of-sale system. This was transferred by simple, unencrypted FTP from a server already handling high loads of network data – in order to obfuscate the heist – to a server in Russia.