Customer Data Losses Blamed On Merchants And Software - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

Customer Data Losses Blamed On Merchants And Software

Poor security practices and software that doesn't delete credit-card data may have opened holes for customer information to be stolen or lost.

The steady stream of disclosures that customer information is being lost or stolen from retailers has caused security experts to focus on two areas: poor security practices by the retailers themselves and weaknesses in the software used to process credit-card payments.

Retail Ventures Inc. this month reported that personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary was stolen. The information, involving 1.4 million credit cards used to make purchases mostly between November and February, included account numbers, names, and transaction amounts.

Polo Ralph Lauren Corp. blamed a software glitch for a security breach that prompted HSBC North America to notify holders of its General Motors-branded MasterCard that their personal information may have been stolen. Polo Ralph Lauren repaired the problem and says there's no evidence that any theft has occurred.

Last year, BJ's Wholesale Club sued IBM for allegedly failing to turn off a feature in its payment software that stored so-called Track II data from a credit card's magnetic stripe after a transaction was approved. As a result, BJ's claimed in its lawsuit, Track II data on cards belonging to customers who made transactions between July 2003 and February 2004 may have been stolen and misused. A BJ's spokeswoman declined to comment, saying the case is still pending.

Storage and retention of Track II data is expressly forbidden by Visa's Payment Application Best Practices program. "Track II data should never be stored," says Bill Pittman, president of TPI Software LLC, one of seven payment-software vendors whose applications have been validated under the Visa program.

Another of the seven companies, Radiant Systems Inc., modified its applications to delete Track II data, says Andy Heyman, president of Radiant's hospitality division. It has added 128-bit encryption to safeguard all other information. Previously, the company had experienced one instance in which Track II data was stored at a customer site, Heyman says; he declined to identify the customer.

The Payment Card Industry Data Security Standard, which took effect in January, defines a set of requirements for merchants known as the Digital 12: Install a firewall; don't use vendor-supplied defaults for system passwords; protect stored data; encrypt transmission of cardholder data and sensitive information; use antivirus software; develop secure systems; restrict access to data to those with a need to know; assign a unique ID to each person with computer access; restrict physical access to cardholder data; track and monitor access to cardholder data; regularly test security systems; and maintain a policy that addresses information security.

Major card associations such as American Express, Discover, MasterCard, and Visa have adapted their own cardholder information security programs to the PCI standard. MasterCard and Visa have defined four merchant categories: Level one applies to any merchant that processes more than 6 million card transactions annually or has suffered a security breach; levels two and three apply to merchants that process more than 20,000 E-commerce transactions annually; and level four applies to all other merchants.

While all merchants are required to comply with the security programs, only those in levels one, two, and three are required to validate their compliance. For example, under Visa's Customer Information Security Program, level-one merchants are required to conduct an annual onsite security scan validated by an independent security assessor or internal audit, and a quarterly network scan validated by an independent scan vendor.

Validation for level-four merchants, however, is at the discretion of the merchant's bank. That's raising eyebrows among information security professionals. Many well-known merchant brands fall under level four, says Mike Petitti, senior VP of marketing at Ambiron TrustWave, which provides security assessments for merchants and service providers. "Some of the recent breaches have occurred at level-four merchants, most of which are bricks and mortar," he says. "There's a need to address those risks."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll