Visa's Blaming Of Fujitsu In Debit Card PIN Breach Draws Ire
One Gartner analyst suggested the PIN problem was probably a combination of an inside job and outside hacking help, and estimated that there are at least 30 gangs worldwide sophisticated enough to pull off such a heist.
Visa's fingering of Fujitsu-made software for allegedly storing confidential customer data, including PINs, is a "cheap shot," said an identity theft analyst Monday.
Last week, Visa warned retailers that two point-of-sale (POS) programs produced by Fujitsu Transaction Solutions, Inc., a Texas-based subsidiary of Japan's Fujitsu Ltd., could be storing debit card PINs in violation of credit and debit card rules.
Although Visa would not confirm that it had named Fujitsu's RAFT and GlobalStore software, Fujitsu Transaction's chief operating officer, Ed Soladay, acknowledged that his company's products were the focus of the Visa alert.
"I wish we could have talked [with Visa] before the alert came out," said Soladay. "Our software doesn't capture PIN data, and anything in clear text is encrypted," he said in rebutting Visa's allegations that RAFT and GlobalStore put retail customers' bank accounts at risk.
Visa's charges and Fujitsu's denial are notable because both came on the heels of a debit card breach that has exposed an estimated 200,000 bank accounts to criminals who, armed not only with the magnetic stripe data but also the necessary PINs, have pillaged accounts.
The two events are no coincidence, said Avivah Litan, a Gartner research vice president and identity theft expert. "They're definitely linked," she said.
But although she's "89 to 90 percent certain" that the breach or theft involved Fujitsu's software, Litan called out Visa for naming names without all the facts. "I think it's a cheap shot to blame Fujitsu. It makes sense that the problem is at the point-of-sale environment, but I think it's probably much more likely that it was an add-on package's [fault]," Litan continued. "Likely some customized code. I can't imagine that Fujitsu's software would be keeping PINs."
Fujitsu Transaction's Soladay seized on Litan's take to point the blame elsewhere. "Retailers often use tracers, programs that can capture all kinds of data, during pilots," said Soladay, "and sometimes they forget to remove them when they go live. We recommend that retailers never use a tracer in a live environment, simply because the data could be at risk.
"I think it's a good assumption [that if PINs were stored], they were captured by a tracer."
So far, two major retailers -- Sam's Club and OfficeMax -- have dominated the reports which have named common retailers among the consumers whose accounts have been sacked. OfficeMax has vehemently denied a breach, going so far last week to release a statement claiming that an independent audit cleared the company.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.