Target credit card data breach: Facts, Resources and Risk Mitigation

The Target data breach, discovered December 15, impacts all credit and debit card transactions in the USA between Nov. 27 and Dec. 15. This article explores what happened, why it happened, what merchants can learn from the incident, and links to top stories.

THE DATA BREACH INCIDENT:
On December 15, 2013, Target discovered malware on their USA point of sale (POS) system and disabled the malware code. The impact is over 40 million cards. Notably, the breach impacted in store only.

From Business Insider,  “As shoppers swiped or punched in their numbers on the checkout keypad, the hackers copied every single number.” Read More: The Incredibly Clever Way Thieves Stole 40 Million Credit Cards From 2,000 Target Stores In A ‘Black Friday’ Sting

Stolen was the track data from the magnetic stripe, and equivalent data from chip cards. According to Target: The CVV data which is encoded on the magnetic stripe was stolen. The CVV2,  the three or four digit value that is printed on the back or front of the card, was not. CVV2 data is never on magnetic strips for security so it would have to have been manually entered to be stolen. (From Target…”No indication that CVV2 data was compromised.”)

Also stolen were 4 digit encrypted pin debit codes. This data is encrypted on the POS device and is simply passed through to the processor in the encrypted state. From Target, “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Summary: thieves have enough information to clone credit cards for retail sales

DAMAGES

The data quickly reached the black market with nefarious buyers taking advantage.

HOW COULD THE TARGET DATA BREACH HAPPEN?

In my opinion, and others, it’s likely related to system architecture. The thieves were able to get full track data needed to clone cards and increasing risk of the data being used. Target uses a custom POS application which requires Payment Application Data Security Standards (PA-DSS) in addition to Payment Card Industry Data Security Standards (PCI DSS) Compliance.

From Security: Dark Reading, Target Breach Should Spur POS Security, PCI 3.0 Awareness: Lyne says he believes the Target breach points to poor architectural and business practices. “It is critical that organizations handling such data take steps to protect it — such large volumes of data should never be accessible by one user or process — and should be encrypted to segment the data and should be detected if an export of such size occurs,” Lyne says.

An alternative workflow encrypts data at the point of sale by a payment gateway, which then delivers to the payment processor. This segregates point of sale data from payment data, reducing the scope for PCI compliance, and removing the POS application from scope for PA DSS. The payment application sends non-sensitive information, such as authorization code, back to the POS.

One way to spot potentially vulnerable systems as a consumer is whether or not the POS shows the item name and amount on the signature capture pad. This is an indication that the POS may be driving the payment application. When payment and POS are segregated, the signature capture pad shows only payment information.

PAYMENT GATEWAYS

Solutions fall into two categories: processor gateways and third party gateways. Merchants may be reluctant to integrate a processor gateway because it locks them into a specific vendor and can be very disruptive to operations to make a change in the future. Third party gateways provide increased flexibility, but also add extra cost to each transaction.  Factors included in choosing a solution include: single vs multi-store, USA or international, payment types, consumer or business to business, future purchase methods – need to store credit card information for recurring billing, multi-channel, and others.

THE IMPACT OF EMVemv chip card smart cardTarget was an early adopter of EMV, (Europay, MasterCard & Visa),  an open-standard set of specifications for smart card payments and acceptance devices. Credit and debit cards contain a small computer chip; This makes it harder to steal data on the point of sale device and to clone cards.

EMV  vs magnetic strip cards:  Traditional magnetic stripes contain “static” data consisting of the Primary Account Number, expiration date and other information; the same information is passed to the card issuer for every transaction. This makes it easy to clone cards.

EMV uses dynamic authentication.  In EMV transactions using dynamic authentication, the data changes with every transaction, thus any captured information is effectively useless to thieves. The chip is nearly impossible to counterfeit.

In the US, with low EMV merchant acceptance capabilities, cards may be issued with both magnetic stripe and chip. This means that thieves can still clone cards that contained a chip if the consumer uses the magnetic stripe in the transaction.

THIEVES AT WORK: HOW MERCHANTS CAN MITIGATE RISK

Without CVV2 data, using the card data for online transactions is unlikely because most ecommerce merchants verify that data. Retailers will be most at risk for cloned cards.

5 tips to prevent losses linked to cloned cards from Target or any other data breach:

  1. By card association rules, merchants can ask for identification, but they cannot deny a transaction if the cardholder will not provide it.
  2. Checking the zip code at the POS, where allowed by state law. *  The average thief doesn’t have this information and wouldn’t take the time to memorize it anyway. An intelligent system will decline the transaction if the zip code doesn’t match.  This may be inconvenient, especially in a fast paced environment. Some solutions allow merchants to validate the zip code only if over a certain dollar amount, reducing checkout burden while increasing risk management.
  3. Train cashiers to look at the cards for proper holograms and logos.
  4. Train cashiers to verify signatures.
  5. Require cashier to verify the last 4 digits at the POS.*  With cloned cards, the front of the card often does not match the magnetic stripe data. This is a highly successful fraud prevention tool to implement with minimal effort.

* Contact your processor to turn the zip code or last 4 digits flag on, or modify the payment gateway settings, whichever is appropriate.

TARGET DATA BREACH TRENDING STORIES AND LINKS

Kreb’s on Security:  Who’s Selling Credit Cards from Target? http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/

Wall Street Journal: Target’s Data-Breach Timeline 

http://www.abullseyeview.com/ Target’s web site for an inside view. Includes http://www.abullseyeview.com/2013/12/target-data-breach-5-things-you-need-to-know/

https://corporate.target.com/about/shopping-experience/payment-card-issue-faq Target’s corporate web site. Everything consumers need to know. (Author note: Target advises monitoring for fraud.  I advised my daughter to request an immediate debit card replacement.