Target credit card data breach: Facts, Resources and Risk Mitigation

The Target data breach, discovered December 15, impacts all credit and debit card transactions in the USA between Nov. 27 and Dec. 15. This article explores what happened, why it happened, what merchants can learn from the incident, and links to top stories.

THE DATA BREACH INCIDENT:
On December 15, 2013, Target discovered malware on their USA point of sale (POS) system and disabled the malware code. The impact is over 40 million cards. Notably, the breach impacted in store only.

From Business Insider,  “As shoppers swiped or punched in their numbers on the checkout keypad, the hackers copied every single number.” Read More: The Incredibly Clever Way Thieves Stole 40 Million Credit Cards From 2,000 Target Stores In A ‘Black Friday’ Sting

Stolen was the track data from the magnetic stripe, and equivalent data from chip cards. According to Target: The CVV data which is encoded on the magnetic stripe was stolen. The CVV2,  the three or four digit value that is printed on the back or front of the card, was not. CVV2 data is never on magnetic strips for security so it would have to have been manually entered to be stolen. (From Target…”No indication that CVV2 data was compromised.”)

Also stolen were 4 digit encrypted pin debit codes. This data is encrypted on the POS device and is simply passed through to the processor in the encrypted state. From Target, “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Summary: thieves have enough information to clone credit cards for retail sales

DAMAGES

The data quickly reached the black market with nefarious buyers taking advantage.

HOW COULD THE TARGET DATA BREACH HAPPEN?

In my opinion, and others, it’s likely related to system architecture. The thieves were able to get full track data needed to clone cards and increasing risk of the data being used. Target uses a custom POS application which requires Payment Application Data Security Standards (PA-DSS) in addition to Payment Card Industry Data Security Standards (PCI DSS) Compliance.

From Security: Dark Reading, Target Breach Should Spur POS Security, PCI 3.0 Awareness: Lyne says he believes the Target breach points to poor architectural and business practices. “It is critical that organizations handling such data take steps to protect it — such large volumes of data should never be accessible by one user or process — and should be encrypted to segment the data and should be detected if an export of such size occurs,” Lyne says.

An alternative workflow encrypts data at the point of sale by a payment gateway, which then delivers to the payment processor. This segregates point of sale data from payment data, reducing the scope for PCI compliance, and removing the POS application from scope for PA DSS. The payment application sends non-sensitive information, such as authorization code, back to the POS.

One way to spot potentially vulnerable systems as a consumer is whether or not the POS shows the item name and amount on the signature capture pad. This is an indication that the POS may be driving the payment application. When payment and POS are segregated, the signature capture pad shows only payment information.

PAYMENT GATEWAYS

Solutions fall into two categories: processor gateways and third party gateways. Merchants may be reluctant to integrate a processor gateway because it locks them into a specific vendor and can be very disruptive to operations to make a change in the future. Third party gateways provide increased flexibility, but also add extra cost to each transaction.  Factors included in choosing a solution include: single vs multi-store, USA or international, payment types, consumer or business to business, future purchase methods – need to store credit card information for recurring billing, multi-channel, and others.

THE IMPACT OF EMVemv chip card smart cardTarget was an early adopter of EMV, (Europay, MasterCard & Visa),  an open-standard set of specifications for smart card payments and acceptance devices. Credit and debit cards contain a small computer chip; This makes it harder to steal data on the point of sale device and to clone cards.

EMV  vs magnetic strip cards:  Traditional magnetic stripes contain “static” data consisting of the Primary Account Number, expiration date and other information; the same information is passed to the card issuer for every transaction. This makes it easy to clone cards.

EMV uses dynamic authentication.  In EMV transactions using dynamic authentication, the data changes with every transaction, thus any captured information is effectively useless to thieves. The chip is nearly impossible to counterfeit.

In the US, with low EMV merchant acceptance capabilities, cards may be issued with both magnetic stripe and chip. This means that thieves can still clone cards that contained a chip if the consumer uses the magnetic stripe in the transaction.

THIEVES AT WORK: HOW MERCHANTS CAN MITIGATE RISK

Without CVV2 data, using the card data for online transactions is unlikely because most ecommerce merchants verify that data. Retailers will be most at risk for cloned cards.

5 tips to prevent losses linked to cloned cards from Target or any other data breach:

  1. By card association rules, merchants can ask for identification, but they cannot deny a transaction if the cardholder will not provide it.
  2. Checking the zip code at the POS, where allowed by state law. *  The average thief doesn’t have this information and wouldn’t take the time to memorize it anyway. An intelligent system will decline the transaction if the zip code doesn’t match.  This may be inconvenient, especially in a fast paced environment. Some solutions allow merchants to validate the zip code only if over a certain dollar amount, reducing checkout burden while increasing risk management.
  3. Train cashiers to look at the cards for proper holograms and logos.
  4. Train cashiers to verify signatures.
  5. Require cashier to verify the last 4 digits at the POS.*  With cloned cards, the front of the card often does not match the magnetic stripe data. This is a highly successful fraud prevention tool to implement with minimal effort.

* Contact your processor to turn the zip code or last 4 digits flag on, or modify the payment gateway settings, whichever is appropriate.

TARGET DATA BREACH TRENDING STORIES AND LINKS

Kreb’s on Security:  Who’s Selling Credit Cards from Target? http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/

Wall Street Journal: Target’s Data-Breach Timeline 

http://www.abullseyeview.com/ Target’s web site for an inside view. Includes http://www.abullseyeview.com/2013/12/target-data-breach-5-things-you-need-to-know/

https://corporate.target.com/about/shopping-experience/payment-card-issue-faq Target’s corporate web site. Everything consumers need to know. (Author note: Target advises monitoring for fraud.  I advised my daughter to request an immediate debit card replacement.

 

New P2P Encryption Solution With MagTek Secure Card Readers

CenPOS, a universal payment processing platform, now supports point-to-point (P2P) encryption with MagTek retail point of sale and mobile credit card reader devices. P2P encryption and end-to-end encryption are terms often bandied about with different meanings.

In P2P encryption, the card data is encrypted at the swipe and is decrypted at another point before going on to a credit card processor. This reduces the risk of compromising data-in-flight. For example, if a merchant has a keyboard emulation card reader connected to a virtual terminal or point of sale software,  and the computer has malware, there is the risk of the card data being intercepted before getting to the next point. By opening up a text program, a person can swipe a card reader and all the data will dump onto the page, increasing internal security risk. With encryption at the card reader, any data intercepted cannot be accessed because only the intended recipient has the decryption key.

The term end-to-end encryption has become a catchall for the encryption and delivery of sensitive cardholder data from the point of sale entry point through each of the various organizations and networks in the payments process all the way to the card issuer. However, while the swipe device is clearly an end point, the destination is not. There are several points where card data may need to be opened in the process, including the merchant acquirer/ processor, card brands, loyalty card services, and the card issuer. All of which create complexities that could cause problems for an authorization approval. Thus, to ensure a higher rate of approvals, end to end encryption is  just a misnomer, as decryption usually takes place at point the sensitive data is released to the processor.

With the CenPOS SaaS and Magtek hardware solution, data is encrypted at the swipe head, decrypted at CenPOS, and then routed per the merchant rules. (Again, some companies define this as end-to-end encryption because there are no hard and fast rules defining it the payments world.) This added layer of protection can bring extra peace of mind to CenPOS merchants concerned with data security. There is no additional cost for the service, however, merchants must have devices injected with the CenPOS encyrption code at a secure POS distributor terminal facility.

magtek card readersmagtek mini swipe

Above:  compatible Magtek devices. To accept credit cards, merchants need a high speed internet connection, compatible card reader, merchant account, and a CenPOS account, which includes a virtual terminal and payment gateway, among other solutions.

Contact Christine Speedy, CenPOS sales at 954-942-0483 for additional information.

 

 

Will insurance cover data breach of credit card information? Whether or not PCI Compliant?

The typical business general liability insurance policy provides ZERO insurance coverage. A special policy referred to as Cyber Liability Insurance includes a section called Network Security coverage that protects you for both first-party and third party liabilities arising from a data breach event. In order to get the special insurance, a merchant must be PCI DSS Compliant at the time the policy is written, and attest to compliance on the insurance application.

Cyber Liability is a generic term for an insurance policy and possible coverages include identity theft from computer network data and paper files.

CRITICAL RED FLAGS:

  • Merchant doesn’t know what PCI compliance means (Payment Card Industry Data Security Standards)
  • Merchant cannot provide a copy of written policy for actively monitoring PCI compliance- and record of doing so.
  • Merchant statements contain “non-PCI Compliance validation fee”.

What if the PCI Compliance status changes during the term of the policy? This is a grey area and likely many factors will influence a decision to pay out, including how egregious the issue was that caused the breach as well as the business efforts to maintain compliance.

If a business qualifies for a discount because they have a building alarm, but then post the alarm code next to the door for everyone to see,  would the carrier be happy paying a theft claim? If a business was PCI compliant but then started accepting credit card sales via fax and stored all the forms in a file folder on someone’s desk where other employees or cleaning personnel have access to, do you think the insurance carrier might have an issue with this? What if the business made every effort to meet PCI compliance, but a key senior employee goes rogue?

Businesses can mitigate the risk of losses by data breach by outsourcing the responsibility, using third party payment processing technology, and by purchasing Cyber Liability Insurance.

Thanks to Steven Breitbart, of Cypress Insurance Fort Lauderdale, for contributing to this article.

Video Training: How to replace credit card authorization forms

In this training video, I show how to securely store credit card data so that no one can ever see it again. It’s virtually impossible to prove Payment Card Industry Data Security Standards (PCI DSS) Compliance if storing credit card authorization forms with full card data. This solution can significantly increase boost PCI Compliance and reduce losses due to disputes and resulting chargebacks.

[leadplayer_vid id=”51712D1B28C6B”]
The positive card verification checkbox is used to submit a zero dollar authorization transaction. This validates all rules in the merchant administration and on a user basis. For example, if rules require an address, zip code, and cvv security code verification, the items will be validated with the card issuer. The receipt is the merchant record of proof that the card issuer passed the verification.

Optionally send the repeat sale credit card charge form to your customer. Have the customer sign and send it back. This replaces credit card authorization forms that have full card data.

TIP: Include a cancellation and refund policy on all invoices, as required for all card not present transactions per card acceptance guidelines.

CenPOS works with your existing processor, and is fast, easy, and requires no capital investment to implement. Call Christine Speedy in sales 954-942-0483 or click here for more information.

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

encrypt cardholder data token billing variable amount

Tokens are issed for stored card data, worthless if stolen.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

  • User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
  • Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

  • Web payments on a hosted pay page, not the merchants web page
  • Electronic Bill Presentment and Payment- same as above.
  • Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data
Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT (PDF) download

Learn more about how CenPOS can help you with PCI DSS Compliance.