Visa Warns Software May Store PINs
Some point-of-sale software may be storing PINs in violation of industry rules, Visa says. Fujitsu, one of the vendors involved, denies this.
Visa confirmed Monday it has issued an alert warning that some point-of-sale software may be storing PINs in violation of industry rules, leading to suspicions that the root of the recent debit card debacle may have been out-of-date or misconfigured software.
"….we provided a confidential alert to a limited number of financial institutions advising them that a particular configuration of certain software could cause it to store cardholder data," Visa said in a statement e-mailed to TechWeb. "We further advised them of the existence of a software upgrade designed to address the problem."
On Friday, the Wall Street Journal said it had seen a copy of the alert, which the newspaper claimed identified two point-of-sale (POS) programs created by Fujitsu Transaction Solutions Inc., a Frisco, Texas-based subsidiary of Japan's Fujitsu Ltd. In some settings, those programs -- RAFT and GlobalStore -- were retaining customer information.
"We alert member financial institutions in instances where any point-of-sale software or modification of it has a potential to put cardholder data at risk," Visa said. Visa's guidelines state -- as do those of the credit card industry overall -- that retailers aren't to store data, such as an PINs, which could fall into hackers' hands.
Fujitsu denied that its software was storing customer data, and said that Visa was mistaken. "Our software doesn't capture PIN data," said Ed Soladay, the chief operating officer of Fujitsu Transaction Solutions. "And I wish we could have talked about this [with Visa] before the alert came out. We were very dismayed when we heard about it, and we're in conversations now to clear it up with them."
But while Soladay said that the current versions of RAFT and GlobalStore software comply with the PCI (Payment Card Industry) data security standard, which forbids PIN storing, even temporarily, he couldn't rule out that a retailer using Fujitsu's software wasn't keeping the PINs.
"Retailers often use tracers, programs that can capture all kinds of data, during pilots," said Soladay, "and sometimes they forget to remove them when they go live. We recommend that retailers never use a tracer in a live environment, simply because the data could be at risk.
"I think it's a good assumption [that if PINs were stored], they were captured by a tracer."
The timing of the alert -- on the heels of a disclosure that massive numbers of debit cards had been compromised -- led to speculation that it may have been how data was available to hackers. The theft of debit card account numbers and PINs has allowed criminals to empty bank accounts from numerous national and regional banks, including Washington Mutual and Bank of America.
Previously, experts pegged the breach as a hack, since both the debit card account numbers and the associated PINs seem to have been stolen. A Visa spokesman, however, refused to comment on whether the alert was related to the debit card theft, or even if any data was stolen as a result of Fujitsu's software retaining data. Fujitsu also denied there had been a breach. "We haven't had any client come to use and say that they've had a breach," said Soladay.
The picture remains muddy, but circumstantial evidence seems to point toward a breach at a major retailer. Two weeks ago, Citibank -- another financial institution that has had to re-issue large numbers of debit cards -- said it had blocked access to ATMs in Canada, the U.K., and Russia because of fraud. At that time, Citibank said only that the breach occurred at a third-party, presumably a card processor or retailer.
Law enforcement sources noted that a commonality in the debit card hijacks was that the account owners had all shopped at OfficeMax, a national retailer of office supplies and computer hardware. OfficeMax has denied it was involved.
OfficeMax is not among the customers Fujitsu Transaction Solutions touts on its Web site, but other big brand names -- including OfficeMax rival Staples, as well as Best Buy, Kroger, Nordstrom, Chevron, and Dress Barn -- are listed in an online fact sheet.
Although OfficeMax's official statement said it suffered no breach and the Visa spokesman refused to name the members who had received its alert, it's possible that a third-party processor of retail debit and credit card payments was involved.
In 2005, for example, CardSystems, a large-scale processor of Visa and other credit card data, was hit with a massive breach that involved millions of accounts. The company essentially sank under the publicity. In February, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures.
About the Author
You May Also Like