News
News
3/21/2006
03:56 PM
50%
50%

Visa's Blaming Of Fujitsu In Debit Card PIN Breach Draws Ire

One Gartner analyst suggested the PIN problem was probably a combination of an inside job and outside hacking help, and estimated that there are at least 30 gangs worldwide sophisticated enough to pull off such a heist.

Visa's fingering of Fujitsu-made software for allegedly storing confidential customer data, including PINs, is a "cheap shot," said an identity theft analyst Monday.

Last week, Visa warned retailers that two point-of-sale (POS) programs produced by Fujitsu Transaction Solutions, Inc., a Texas-based subsidiary of Japan's Fujitsu Ltd., could be storing debit card PINs in violation of credit and debit card rules.

Although Visa would not confirm that it had named Fujitsu's RAFT and GlobalStore software, Fujitsu Transaction's chief operating officer, Ed Soladay, acknowledged that his company's products were the focus of the Visa alert.

"I wish we could have talked [with Visa] before the alert came out," said Soladay. "Our software doesn't capture PIN data, and anything in clear text is encrypted," he said in rebutting Visa's allegations that RAFT and GlobalStore put retail customers' bank accounts at risk.

Visa's charges and Fujitsu's denial are notable because both came on the heels of a debit card breach that has exposed an estimated 200,000 bank accounts to criminals who, armed not only with the magnetic stripe data but also the necessary PINs, have pillaged accounts.

The two events are no coincidence, said Avivah Litan, a Gartner research vice president and identity theft expert. "They're definitely linked," she said.

But although she's "89 to 90 percent certain" that the breach or theft involved Fujitsu's software, Litan called out Visa for naming names without all the facts. "I think it's a cheap shot to blame Fujitsu. It makes sense that the problem is at the point-of-sale environment, but I think it's probably much more likely that it was an add-on package's [fault]," Litan continued. "Likely some customized code. I can't imagine that Fujitsu's software would be keeping PINs."

Fujitsu Transaction's Soladay seized on Litan's take to point the blame elsewhere. "Retailers often use tracers, programs that can capture all kinds of data, during pilots," said Soladay, "and sometimes they forget to remove them when they go live. We recommend that retailers never use a tracer in a live environment, simply because the data could be at risk.

"I think it's a good assumption [that if PINs were stored], they were captured by a tracer."

So far, two major retailers -- Sam's Club and OfficeMax -- have dominated the reports which have named common retailers among the consumers whose accounts have been sacked. OfficeMax has vehemently denied a breach, going so far last week to release a statement claiming that an independent audit cleared the company.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.