Stealing Your Credit Card Number
By David Dorf-Oracle on Nov 24, 2008
I guess its possible that credit card theft has been happening all along but just wasn't widely reported in the press. But it seems to me that large scale attacks are just as prevalent now as they were four years ago when Payment Card Industry (PCI) data security standards (DSS) were first mandated. I don't have any hard facts, but I don't feel like my credit card is any safer today. PCI-DSS has certainly made retailers more aware of the issue and a lot of money has been spent, but is customer information any safer?
The newest version of PCI-DSS was released last month, but I'd classify it as clarifications more than any new standards. Actually, the PCI standards are fairly comprehensive. My issue isn't with the standards themselves, its with the implementation and auditing of the standards. Gartner recently rendered an opinion that I happen to agree with. In a nutshell, they said that the updated PCI-DSS fails to:
--Recognize the huge differences between different types of merchants.
--Acknowledge chip and PIN technology.
--Take into account more comprehensive approaches to security.
In a separate opinion, Gartner points out that as long as assessors are also selling security products to retailers, there is a conflict of interest. My experience with PCI-DSS audits has been that much of the results are dependent on the subjective opinion of the assessor, who in all likelihood has no experience with the retail industry. This leads to some retailers being held to a higher standard than others. When audits are not repeatable, I tend to question their value.
Case in point, Hannaford Bros., an east coast grocery chain, had 4.2 million card numbers compromised earlier this year yet they claim PCI-DSS compliance. In fact, in some reports the breach may have occurred while the assessor was performing the audit. Who's to blame here? The retailer, the assessor, the bank, or the card brands?
Here's a scary example. Overseas hackers stole card data from the server that manages the Citibank-branded ATMs at 7-Eleven stores. They were able to then make over $2 million dollars worth of withdrawals from other ATMs using the stolen card data. Here's the scary part. Citibank says its the fault of the third-party ATM processors, in this case Cardtronics and Fiserv. Fiserv says they were not breached, and Cardtronics says it meets all PCI standards and doesn't anticipate participating in the investigation. A 7-Eleven spokesperson said, "7-Eleven is confident that its ATM provider, Cardtronics, has included the appropriate safeguards..." The public may never know what happened.
If you enjoyed that story, zip over to Privacy Rights Clearinghouse to see a list of schools, hospitals, and employers that have been breached and lost your personal information.
Feeling safe yet?