Customer Data Losses Blamed On Merchants And Software
Poor security practices and software that doesn't delete credit-card data may have opened holes for customer information to be stolen or lost.
The steady stream of disclosures that customer information is being lost or stolen from retailers has caused security experts to focus on two areas: poor security practices by the retailers themselves and weaknesses in the software used to process credit-card payments.
Retail Ventures Inc. this month reported that personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary was stolen. The information, involving 1.4 million credit cards used to make purchases mostly between November and February, included account numbers, names, and transaction amounts.
Polo Ralph Lauren Corp. blamed a software glitch for a security breach that prompted HSBC North America to notify holders of its General Motors-branded MasterCard that their personal information may have been stolen. Polo Ralph Lauren repaired the problem and says there's no evidence that any theft has occurred.
Last year, BJ's Wholesale Club sued IBM for allegedly failing to turn off a feature in its payment software that stored so-called Track II data from a credit card's magnetic stripe after a transaction was approved. As a result, BJ's claimed in its lawsuit, Track II data on cards belonging to customers who made transactions between July 2003 and February 2004 may have been stolen and misused. A BJ's spokeswoman declined to comment, saying the case is still pending.
Storage and retention of Track II data is expressly forbidden by Visa's Payment Application Best Practices program. "Track II data should never be stored," says Bill Pittman, president of TPI Software LLC, one of seven payment-software vendors whose applications have been validated under the Visa program.
Another of the seven companies, Radiant Systems Inc., modified its applications to delete Track II data, says Andy Heyman, president of Radiant's hospitality division. It has added 128-bit encryption to safeguard all other information. Previously, the company had experienced one instance in which Track II data was stored at a customer site, Heyman says; he declined to identify the customer.
The Payment Card Industry Data Security Standard, which took effect in January, defines a set of requirements for merchants known as the Digital 12: Install a firewall; don't use vendor-supplied defaults for system passwords; protect stored data; encrypt transmission of cardholder data and sensitive information; use antivirus software; develop secure systems; restrict access to data to those with a need to know; assign a unique ID to each person with computer access; restrict physical access to cardholder data; track and monitor access to cardholder data; regularly test security systems; and maintain a policy that addresses information security.
Major card associations such as American Express, Discover, MasterCard, and Visa have adapted their own cardholder information security programs to the PCI standard. MasterCard and Visa have defined four merchant categories: Level one applies to any merchant that processes more than 6 million card transactions annually or has suffered a security breach; levels two and three apply to merchants that process more than 20,000 E-commerce transactions annually; and level four applies to all other merchants.
While all merchants are required to comply with the security programs, only those in levels one, two, and three are required to validate their compliance. For example, under Visa's Customer Information Security Program, level-one merchants are required to conduct an annual onsite security scan validated by an independent security assessor or internal audit, and a quarterly network scan validated by an independent scan vendor.
Validation for level-four merchants, however, is at the discretion of the merchant's bank. That's raising eyebrows among information security professionals. Many well-known merchant brands fall under level four, says Mike Petitti, senior VP of marketing at Ambiron TrustWave, which provides security assessments for merchants and service providers. "Some of the recent breaches have occurred at level-four merchants, most of which are bricks and mortar," he says. "There's a need to address those risks."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.