Retail Ventures Inc. this month reported that personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary was stolen. The information, involving 1.4 million credit cards used to make purchases mostly between November and February, included account numbers, names, and transaction amounts.
Polo Ralph Lauren Corp. blamed a software glitch for a security breach that prompted HSBC North America to notify holders of its General Motors-branded MasterCard that their personal information may have been stolen. Polo Ralph Lauren repaired the problem and says there's no evidence that any theft has occurred.
Last year, BJ's Wholesale Club sued IBM for allegedly failing to turn off a feature in its payment software that stored so-called Track II data from a credit card's magnetic stripe after a transaction was approved. As a result, BJ's claimed in its lawsuit, Track II data on cards belonging to customers who made transactions between July 2003 and February 2004 may have been stolen and misused. A BJ's spokeswoman declined to comment, saying the case is still pending.
Storage and retention of Track II data is expressly forbidden by Visa's Payment Application Best Practices program. "Track II data should never be stored," says Bill Pittman, president of TPI Software LLC, one of seven payment-software vendors whose applications have been validated under the Visa program.
Another of the seven companies, Radiant Systems Inc., modified its applications to delete Track II data, says Andy Heyman, president of Radiant's hospitality division. It has added 128-bit encryption to safeguard all other information. Previously, the company had experienced one instance in which Track II data was stored at a customer site, Heyman says; he declined to identify the customer.
The Payment Card Industry Data Security Standard, which took effect in January, defines a set of requirements for merchants known as the Digital 12: Install a firewall; don't use vendor-supplied defaults for system passwords; protect stored data; encrypt transmission of cardholder data and sensitive information; use antivirus software; develop secure systems; restrict access to data to those with a need to know; assign a unique ID to each person with computer access; restrict physical access to cardholder data; track and monitor access to cardholder data; regularly test security systems; and maintain a policy that addresses information security.
Major card associations such as American Express, Discover, MasterCard, and Visa have adapted their own cardholder information security programs to the PCI standard. MasterCard and Visa have defined four merchant categories: Level one applies to any merchant that processes more than 6 million card transactions annually or has suffered a security breach; levels two and three apply to merchants that process more than 20,000 E-commerce transactions annually; and level four applies to all other merchants.
While all merchants are required to comply with the security programs, only those in levels one, two, and three are required to validate their compliance. For example, under Visa's Customer Information Security Program, level-one merchants are required to conduct an annual onsite security scan validated by an independent security assessor or internal audit, and a quarterly network scan validated by an independent scan vendor.
Validation for level-four merchants, however, is at the discretion of the merchant's bank. That's raising eyebrows among information security professionals. Many well-known merchant brands fall under level four, says Mike Petitti, senior VP of marketing at Ambiron TrustWave, which provides security assessments for merchants and service providers. "Some of the recent breaches have occurred at level-four merchants, most of which are bricks and mortar," he says. "There's a need to address those risks."