Securing Card Data Isn't an Easy Sell
Retailers keeping customer info, despite new rules
Computerworld - Recent data compromises, such as one involving the Sam's Club wholesale chain, highlight the challenges that credit card companies face in enforcing the security standards that went into effect last July for all businesses processing credit transactions.
Sam's Club, a division of Wal-Mart Stores Inc., said in a statement issued this month that it was investigating a security breach that had exposed credit card data belonging to an unspecified number of customers who purchased gas at the company's stations between Sept. 21 and Oct. 2.
Beyond saying that its internal systems and databases weren't compromised, Sam's Club didn't elaborate on how the card information was accessed. Last week, company officials didn't respond to repeated requests for comment.
But Corinne Sherman, vice president of card services at the Pennsylvania Credit Union Association in Harrisburg, said that based on alerts from MasterCard International Inc. and Visa U.S.A. Inc., Sam's Club appears to have been storing customer and account information from both tracks of the magnetic stripe on the back of cards. That information could be used by data thieves to create counterfeit cards that could then be used to commit fraud, Sherman said.
Especially troubling is the fact that a very large number of merchants still appear to be capturing and storing the full magnetic stripe information off credit and debit cards even though doing so violates the new Payment Card Industry (PCI) security standards, said Ann Davidson, payment systems risk manager at CUNA Mutual Group, a Madison, Wis.-based company that provides insurance and financial services to credit unions.
Of the more than 300 fraud alerts that MasterCard and Visa have each issued this year, the majority involved cases where magnetic stripe information was stored after a transaction, Davidson said.
"This is in direct violation of card association rules," Davidson said. "I would love to know why merchants are doing this." She added that CUNA Mutual has had several meetings with MasterCard and Visa to discuss the data storage issue.
In April, the insurer filed a lawsuit against BJ's Wholesale Club Inc. seeking to recover losses incurred as a result of a security breach that compromised 40,000 credit and debit cards. The lawsuit, which BJ's is contesting, alleges that the retailer stored account and customer information in violation of MasterCard's and Visa's regulations.
Many of the problems stem from the older point-of-sale systems that some merchants use to process card transactions, said Michael Petitti, a senior vice president at Ambiron TrustWave, a Chicago-based provider of security and PCI compliance services to the credit card industry. The POS systems often capture
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast Best Practices: How to Improve Business Continuity with Virtualization VMware solutions include a range of business continuity capabilities to help ensure availability for applications across your virtualized environment. Learn More>>
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts