Just in time for the New Year, authorities have announced that as many as 40 million debit and credit cards may have been compromised as a result of a breach of Target’s payment system. Details of how the theft occurred are still emerging, but it now appears that nearly all of the 1,797 Target stores in the United States were the… um, target… of the theft of customer name and credit card information. In light of this significant (but not unprecedented) crime, let’s revisit the topic of the Payment Card Industry Data Security Standard:
Aside from the Target debacle, most of us are familiar with some of the recent security breaches in which consumers’ credit and debit card data were hacked and stolen. Perhaps the most infamous, the 2003-2004 theft of data from the TJX family of stores (Marshalls, TJMaxx and others) involved at least 45 million credit and debit card numbers and ultimately cost the company an estimated $9.75 million in legal fees and settlements. Essentially, TJX employed an insecure and antiquated encryption standard that hackers were able to wirelessly access from parking lots of two Marshalls stores in Miami. While the company was not found to be in violation of any laws in its failure to safeguard sensitive customer data, it was deemed to have failed to comply with a number of soon-to-be-adopted Payment Card Industry Data Security Standard (PCI DSS) guidelines.
Introduced in 2004 and periodically updated, the PCI DSS is the brainchild of a confederation of institutions – Visa, MasterCard, Discover, American Express and JCB – to provide a common set of policies that define how to process, transmit and store credit card information securely. The standards apply to all retailers that accept credit/debit cards for payment, with merchants falling into one of four tiers (based on the volume of card transactions made).
In short, the objectives of the standards are to:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
After completing a questionnaire to determine which level a merchant falls within, retailers are typically required to pass periodic vulnerability scans. The standards apply to both Point of Sale (POS) transactions as well as internet-based e-commerce transactions. Enforcement of compliance is the responsibility of the individual credit card brands who may issue fines to their member banks, which may in turn pass the fines on to the offending retailer.
The PCI DSS guidelines are a separate and distinct standard from the Luhn algorithm. The Luhn algorithm is used to validate credit card or other numerical IDs to ensure that they are valid numbers and not simply a random sequence of digits. It is not designed as an encryption tool or a means to prevent unauthorized access. For a more thorough discussion of the Lund algorithm, see http://en.wikipedia.org/wiki/Luhn_algorithm.
PCI DSS is not without its critics; complaints have included accusations that the standards allow the card companies to issue fines and penalties against non-compliant entities, even in cases where no evidence of fraud exists. Other complaints eluded to the standards essentially being subjective, inherently inconsistent, confusing and altogether too expensive to implement, particularly for small retailers.
Proponents of the standards argue that they are at least stepping in the right direction by forcing retailers to consider the seriousness of the security risks, thereby protecting themselves, the financial institutions and – ultimately – the privacy and protection of the consumer.
It’s difficult to predict how the Target breach will play out in the coming months, particularly as Target has since revealed that customer PIN numbers were included in the stolen data. One thing’s for certain: it’s unlikely that the Target incident will be the last occurrence of sensitive customer information being hacked. Whether this prompts the industry in the U.S. to adopt the more secure European-style “card-with-a-chip” standard remains to be seen, however, payment card security standards will remain an important and evolving topic.