Securing Card Data Isn't an Easy Sell
Retailers keeping customer info, despite new rules
Computerworld - Recent data compromises, such as one involving the Sam's Club wholesale chain, highlight the challenges that credit card companies face in enforcing the security standards that went into effect last July for all businesses processing credit transactions.
Sam's Club, a division of Wal-Mart Stores Inc., said in a statement issued this month that it was investigating a security breach that had exposed credit card data belonging to an unspecified number of customers who purchased gas at the company's stations between Sept. 21 and Oct. 2.
Beyond saying that its internal systems and databases weren't compromised, Sam's Club didn't elaborate on how the card information was accessed. Last week, company officials didn't respond to repeated requests for comment.
But Corinne Sherman, vice president of card services at the Pennsylvania Credit Union Association in Harrisburg, said that based on alerts from MasterCard International Inc. and Visa U.S.A. Inc., Sam's Club appears to have been storing customer and account information from both tracks of the magnetic stripe on the back of cards. That information could be used by data thieves to create counterfeit cards that could then be used to commit fraud, Sherman said.
Especially troubling is the fact that a very large number of merchants still appear to be capturing and storing the full magnetic stripe information off credit and debit cards even though doing so violates the new Payment Card Industry (PCI) security standards, said Ann Davidson, payment systems risk manager at CUNA Mutual Group, a Madison, Wis.-based company that provides insurance and financial services to credit unions.
Of the more than 300 fraud alerts that MasterCard and Visa have each issued this year, the majority involved cases where magnetic stripe information was stored after a transaction, Davidson said.
"This is in direct violation of card association rules," Davidson said. "I would love to know why merchants are doing this." She added that CUNA Mutual has had several meetings with MasterCard and Visa to discuss the data storage issue.
In April, the insurer filed a lawsuit against BJ's Wholesale Club Inc. seeking to recover losses incurred as a result of a security breach that compromised 40,000 credit and debit cards. The lawsuit, which BJ's is contesting, alleges that the retailer stored account and customer information in violation of MasterCard's and Visa's regulations.
Many of the problems stem from the older point-of-sale systems that some merchants use to process card transactions, said Michael Petitti, a senior vice president at Ambiron TrustWave, a Chicago-based provider of security and PCI compliance services to the credit card industry. The POS systems often capture
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!