"We deeply regret and are very sorry that . . ." is the first line in my letter from Neiman Marcus President and CEO Karen Katz, reassuring me that I was in the group of 1.1 million customers who will be offered a year of free credit monitoring service. Not the kind of glam freebie I was looking for when I bought six shirts on sale as gifts. Yup, I might have dodged the recent Target (110 million) and Michaels (unknown) sales terminal bullets, but I have now joined the less elite group of those whose credit card information has been compromised.
The information contained in the magnetic stripe (magstripe) of US credit cards that is read upon swiping includes the cardholder's name, card number, expiration date, card security code or verification value, credit card limit, and card usage. "Memory-parsing" or RAM-scraping malware, installed on point-of sales (POS) systems, captures information from the card being swiped before it is encrypted and sent to the payment processing provider. The stolen information may be used by the hackers to fund purchases, clone counterfeit cards for personal use or sale, or engage in the identity theft industry, perhaps by posting it for sale to a website. The going rate for captured information varies. Black market cards (available in sets of one million) go for at least $20 apiece. Meanwhile, the going rate for the malware starts at less than $2,000.i Let's see, what's the ROI on that?
Some retailers—especially those like Walmart that have unhappily written off popular large-ticket, but fraudulent, purchases (like electronics)—have lobbied heavily for US adoption of the "chip and PIN" credit card model used throughout Europe and in at least 80 countries worldwide. With better encryption contained on the chip and the PIN, the card offers at least two-factor (something you have plus something you know) authentication mechanisms. And although the 21st century technology used in EuroPay, MasterCard and Visa (EMV) cards will not ensure a POS is not hacked, as in the recent cases mentioned here, it provides an additional "safety gate" around protected and valuable information.
Besides, there is less incentive to compromise an EMV system. The record information captured from EMV transactions is lower quality and sells for about 10 percent of that from magstripe transactions.ii
Bad actors are opportunistic. US resistance to migrating away from its embedded base of 1960s magstripe technology for credit card improvements is providing plenty of opportunity. According to UK-based card fraud expert Neira Jones, "While the chip card cannot be cloned, the magnetic stripe can be . . . You see a migration of fraud going to countries that have not deployed chip and PIN. . . EMV does not eliminate all fraud, such as card-not-present fraud, but it has nearly eliminated face-to-face and skimming fraud."iii
With 20 hacking cases similar to Target's investigated over the past year, the FBI sent a confidential three-page report to retailers in mid-January warning them to watch for more malware installations on POS systems. And in late 2015, merchants, not banks, will absorb the cost of fraudulent purchases if chip cards are read using magstripe-only readers.v Perhaps in 2014 we have reached a critical mass of credit card compromise distress that will justify the estimated $8 billion price tag for migrating to chip and PIN technology, rather than continue to tolerate the "$1.1 billion a year lost to the fraudulent transactions chip cards are most likely to prevent."vi
The positive spin in my data breach notification letter from CEO/President Katz was: "Your PIN was never at risk because we do not use PIN pads in our stores." Well, that's a relief. Not. I want layers of security, not security swaps. As an enticement to merchants who agree to install chip and PIN technology right now, Visa and others are waiving PCI DSS compliance requirements.vii Excuse me?
Let's see. PCI security standards require that merchants and processors:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information securityviii
And the problem with those requirements is?
I am sorry, Ms. Katz and Visa. Spare me the deep regret and maintain PCI standards and perceived extra layers of protection. Please pass the PIN pad.
Learn more about database security with a cyber security information assurance specialization in our Master of Science in Information Assurance degree program. Be ready to face career challenges and opportunities with confidence by earning your degree from Regis University. Call 877-820-0581 or request more information.
iBrian Krebs, Cards Stolen in Target Breach Flood Underground Markets, http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/.
iiHoward Schneider, Hayley Tsukayama and Amrita Jayakumar, " U.S. credit cards, chipless and magnetized, lure global fraudsters," The Washington Post (January 21, 2014), http://www.washingtonpost.com/business/economy/us-credit-cards-chipless-and-magnetized-lure-global-fraudsters/2014/01/21/6edd171e-7df3-11e3-9556-4a4bf7bcbd84_story.html.
iiiJeffrey Roman, "EMV: card fraud Is migrating," September 5, 2013, http://www.bankinfosecurity.com/jones-a-6047/op-1.
ivJim Finkle," Michaels Arts Supply Store warns of possible data breach," The Huffington Post (January 25, 2014), http://www.huffingtonpost.com/2014/01/25/micheals-data-breach_n_4666029.html.
vJim Gallagher, "Chip security is coming for credit cards," St. Louis Post-Dispatch (January 25, 2014), http://www.stltoday.com/business/columns/jim-gallagher/chip-security-is-coming-for-credit-cards/article_3780432f-a893-5298-aa3c-61c8c6d869a6.html.
viHoward Schneider et al.
viiMathew J. Schwartz, "Visa pushes PIN requirement with credit card purchases," Information Week (August 11, 2011). http://www.informationweek.com/security/vulnerabilities-and-threats/visa-pushes-pin-requirement-with-credit-card-purchases/d/d-id/1099508.
viii"Payment Card Industry Security Standards Overview." https://www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf. Accessed January 27, 2014.