Well, it appears that the bad guys hit another giant retailer this year as Target now reports a massive breach. There are a few items here that are interesting to note. First, we are talking about magnetic stripe and a massive volume of cards in a short period of time. This would indicate some kind of software compromise (read, not an attached skimmer) that lead to the capture of stripe or PIN data. Given that there is a concern about PIN, I would guess that the compromise was either in the POS terminal or in the actual payment terminal itself where the PIN is entered.
Breaches of this magnitude obviously call their compliance status in question, and the devil will be in the details. But more importantly, the kinds of attacks that we see against retail today are becoming more sophisticated BECAUSE of PCI DSS. Since most companies are pretty good at locking the front door while leaving the 3rd story windows open, criminals have to get more creative to get into that window and still cause havoc. This underscores the mantra we’ve been saying for years… PCI DSS ≠ Security, and even though 3.0 tries to put PCI stuff into BAU process (which I find funny and misguided), we should be focusing on boosting our information security capabilities, not compliance.
So prepare for the noise to be high for a couple of months, and then things to die down and return to normal (where we skirt the line of compliance and expect the other guy to get popped).
In the meantime, ere are a few tips for the rest of the holiday shoppers who (like me) still have stuff to get:
- Credit cards are still a safe form of payment. You have zero liability if the card is stolen. Just watch your charges with vigilance. Also, remember that credit/debit can have different rules about your liability! Be sure you understand your bank’s policy and choose the payment method that is the safest (for me, this is credit).
- Scammers are everywhere right now, playing on the generosity (and carelessness) of consumers. Be on alert!
- Anytime you enter your PIN, cover the keypad so that neighbors or cameras cannot capture the digits.
- If you see an ATM that looks suspicious (keypads are peeling, extra plastic around card reader, generally sketchy vibe), skip it.
Want to learn more? Check out my follow-up post regarding the leaked PIN data.