Visa's Blaming Of Fujitsu In Debit Card PIN Breach Draws Ire
One Gartner analyst suggested the PIN problem was probably a combination of an inside job and outside hacking help, and estimated that there are at least 30 gangs worldwide sophisticated enough to pull off such a heist.
Visa's fingering of Fujitsu-made software for allegedly storing confidential customer data, including PINs, is a "cheap shot," said an identity theft analyst Monday.
Last week, Visa warned retailers that two point-of-sale (POS) programs produced by Fujitsu Transaction Solutions, Inc., a Texas-based subsidiary of Japan's Fujitsu Ltd., could be storing debit card PINs in violation of credit and debit card rules.
Although Visa would not confirm that it had named Fujitsu's RAFT and GlobalStore software, Fujitsu Transaction's chief operating officer, Ed Soladay, acknowledged that his company's products were the focus of the Visa alert.
"I wish we could have talked [with Visa] before the alert came out," said Soladay. "Our software doesn't capture PIN data, and anything in clear text is encrypted," he said in rebutting Visa's allegations that RAFT and GlobalStore put retail customers' bank accounts at risk.
Visa's charges and Fujitsu's denial are notable because both came on the heels of a debit card breach that has exposed an estimated 200,000 bank accounts to criminals who, armed not only with the magnetic stripe data but also the necessary PINs, have pillaged accounts.
The two events are no coincidence, said Avivah Litan, a Gartner research vice president and identity theft expert. "They're definitely linked," she said.
But although she's "89 to 90 percent certain" that the breach or theft involved Fujitsu's software, Litan called out Visa for naming names without all the facts. "I think it's a cheap shot to blame Fujitsu. It makes sense that the problem is at the point-of-sale environment, but I think it's probably much more likely that it was an add-on package's [fault]," Litan continued. "Likely some customized code. I can't imagine that Fujitsu's software would be keeping PINs."
Fujitsu Transaction's Soladay seized on Litan's take to point the blame elsewhere. "Retailers often use tracers, programs that can capture all kinds of data, during pilots," said Soladay, "and sometimes they forget to remove them when they go live. We recommend that retailers never use a tracer in a live environment, simply because the data could be at risk.
"I think it's a good assumption [that if PINs were stored], they were captured by a tracer."
So far, two major retailers -- Sam's Club and OfficeMax -- have dominated the reports which have named common retailers among the consumers whose accounts have been sacked. OfficeMax has vehemently denied a breach, going so far last week to release a statement claiming that an independent audit cleared the company.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.