If Target can't protect itself from a data breach, how can any retailer hope to do so?
The Target breach, which affected up to 40 million cardholders who shopped at the store from Nov. 27 through Dec. 15, is noteworthy because it affects a massive retailer with deep experience in the credit and debit card businesses and an extreme early adopter of EMV-chip cards in the U.S. Target's plans to issue and accept the secure smart cards date back to 2001.
"When one of the biggest merchants who has the control and capital to invest in their endpoints like Target [gets] breached, nobody can be safe," says Gray Taylor, executive director of the National Association of Convenience Stores.
A merchant of Target's size likely met the requirements of the Payment Card Industry data security standard, which describes how companies must protect any card data they handle, Taylor says. "I wouldn't be surprised at all to find out they were PCI compliant up until the point they were breached and then they will be PCI non-compliant and have fines levied," he says.
Target issued a statement Dec. 18 confirming the incident but has not provided substantial details about how the breach occurred. Most merchants are anxious to find out what happened so they can avoid the same fate, says Mark Horwedel, CEO of the Merchant Advisory Group.
"The broader merchant perspective would be that it's inevitable that data breaches will occur because we are basically dealing with a fraud-prone device that is generally not protected with a PIN," Horwedel says.
The Payment Card Industry data security council provides merchants and issuers as much information as possible to keep data safe, "but it is somewhat in vain because it is just too easy to perpetrate fraud against the mag-stripe product," he says. "Merchants, acquirers and hardware providers continue to be frustrated by this, and it is never going to end because there is no sunset rule on mag-stripe."
Magnetic-stripe data is a frequent target of fraudsters. Stolen data from a magnetic-stripe card can be written to any other type of card, even a hotel room key, and used to make swiped card payments. If the fraudster has a stolen PIN, the cloned cards will enable ATM withdrawals as well.
"As long as mag-stripes are still on cards and POS devices, no matter how much we spend on PCI, you can't protect the public from this kind of breach," Horwedel says.
Such a notion is frightening, considering 24% of the nation's gross domestic product comes from card payments, NACS's Taylor says.
The U.S. payments system needs to "totally rethink" its approach to data security, Taylor says.
"We have to stop thinking we can make pristine computing environments and need to start thinking of how we can process secure transactions in the dirtiest environment," Taylor says. "Until we take that total rethink, even under EMV, I don't think we will ever be away from these types of hacks."
The major card brands have set a timetable for most U.S. merchants to accept EMV cards by October 2015 (fuel merchants have an extra two years). EMV cards use dynamic security codes, a practice meant to thwart counterfeiting efforts. A dynamically generated code, if stolen, cannot be re-used to authorize a later payment.
However, many countries that have shifted to EMV still allow magnetic-stripe card payments, and the EMV cards are still made with magnetic stripes on the back.
"This breach shows that despite best efforts by major retailers to protect cardholder data generated from magnetic stripe card transactions, criminals will find a way to get this data," says Randy Vanderhoof, director of the EMV Migration Forum.
The information disclosed so far suggests that the fraudsters did not modify the physical card readers at the point of sale. The breach affected all 1,800 Target stores, whereas an attack on the point of sale hardware would be much narrower in scope an incident last year that compromised Barnes & Noble Inc.'s PIN pad devices affected just 63 of the chain's stores.
By contrast, wide-scale breaches that affected TJX Cos. Inc. and the processor Heartland Payment Systems involved compromises of a computer network, notes security expert Brian Krebs, in the Dec. 17 blog post that broke the news of the Target breach.
The TJX and Heartland incidents were attributed largely to Albert Gonzalez, who pleaded guilty in 2009 to 20 counts of conspiracy, computer fraud, wire fraud and other charges in Massachusetts.
Executives of the PCI Council were not available for comment. The council issued a statement saying it did not have insight into the Target breach because the organization does not monitor compliance or engage in forensic investigations.
"Cardholder data continues to be a target for criminals around the world, underscoring the importance of global payment security standards for card data protection," the council states. "Organizations must make protecting cardholder data a daily priority."
Jacob Ansari, director of technical services at 403 Labs and a PCI forensic investigator, says the Target breach will provide valuable insight for future security regardless of what happened.
"Hackers are becoming increasingly professional as an organized crime," Ansari says. "Until the details come out, we will not know if this was a new method or advancement in their technology."
Regardless of what is learned from the breach, the U.S. will remain in a slow transition toward EMV, Ansari says.