Some consumers in New England who shop for food at Stop & Shop Supermarkets and for clothing at T.J. Maxx have recently had firsthand experience with the potential perils of using credit and debit cards.
As reported two weeks ago in SN, Stop & Shop, Quincy, Mass., discovered in mid-February that PIN-pad terminals at five Rhode Island stores and one Massachusetts store had been tampered with. Moreover, at two of those stores, in Coventry and Cranston, R.I., credit and debit card data was siphoned out of those terminals and used to make fraudulent purchases at other retailers.
According to Stop & Shop spokesman Robert Keane, the terminals were removed from the POS and replaced with look-alike terminals that captured card information. Subsequently, the originals were put back and the look-alikes retrieved, now containing card information that could be used to make fraudulent purchases. Following the discovery of the tampering, Stop & Shop bolted down the PIN pads in all of its stores and in all stores operated by sister Ahold division Giant Food, Landover, Md.
On Feb. 26, sometime after the original tampering incidents, four men in their early to mid-20s from California were arrested at the Coventry store after being seen “attempting to tamper with or remove a credit/debit card PIN pad from aisle No. 4,” said a statement released by the Coventry police. They were charged with computer theft and trespass, access to a computer for fraudulent purposes, and conspiracy. The investigation, which includes the U.S. Secret Service, is ongoing. No Stop & Shop employees have been implicated.
The security breach at The TJX Cos., Framingham, Mass., which operates T.J. Maxx, Marshalls, HomeGoods and other chains, was far more extensive than Stop & Shop's. According to information on TJX.com, “the portion of TJX's computer network that handles credit card, debit card, check and merchandise return transactions” suffered “an unauthorized intrusion.” The intrusion took place beginning in July 2005, continuing in 2005 and then from May 2006 to January 2007.
TJX indicated that as a result of the intrusions, an undisclosed number of credit and debit cards were “compromised.” Since then, the company has worked with IBM and General Dynamics to secure its computer systems. No arrests have been made.
Both Stop & Shop and TJX provided copious amounts of information about their respective incidents on their websites. Both companies, in letters to their customers, apologized for the incidents, and set up toll-free numbers for consumers seeking more information. Both offered to help consumers whose card numbers were stolen.
Of course, Stop & Shop and TJX are hardly the only retailers whose consumer-based systems have been attacked. The problem has become so widespread in retailing that last year the National Retail Federation, Washington, reported in a study that retail budgets for IT security were expected to increase by 34% and IT compliance budgets by 7%.
Card security has also attracted the attention of lawmakers. According to the Washington Post, Rep. Barney Frank, D-Mass., chairman of the House Financial Services Committee, plans to draft a bill that would exempt companies from disclosing data breaches if they encrypt or otherwise secure the data. More than 30 states now have laws requiring companies to alert consumers of data breaches.
OLD PIN PADS
The Stop & Shop and TJX incidents reflect different sides of the data security issue. Stop & Shop's breach involved the PIN pad terminals that are the entry point for consumer data, while TJX experienced a broader problem with the back-end corporate systems where the data resides.
Stop & Shop's PIN pads are older terminals originally manufactured by IVI Checkmate, which was acquired by Ingenico, Atlanta, in 2001. These eNcrypt 2400 terminals do not comply with current industry security standards for transaction terminals, known as Payment Card Industry PIN Entry Devices (PCI PED).
However, under current card association regulations, devices manufactured prior to 2004 are not required to be removed from service until July 10, 2010. Stop & Shop, just before the security breach in February, announced through its terminal vendor, VeriFone, San Jose, Calif., that it had selected new payment terminals for its stores, VeriFone's model MX870. The new terminals, which are PCI PED-compliant, are going into new and remodeled stores, and will replace “older legacy EFT units over time,” said the announcement.
According to VeriFone spokesman Pete Bartolik, only terminals meeting PCI PED requirements may be purchased by retailers after Dec. 31, 2007. Retailers failing to do so would be subject to fines or liability in the event of a data compromise. But retailers who purchased terminals after Jan. 1, 2004 — those terminals conform to VISA's own PED requirements — are not required to replace them.
PCI PED standards pertain specifically to PIN entry but also encompass the overall integrity of the device. “PCI PED requirements say that if something is inserted into the device, the device should become inoperative,” said Bartolik. If the suspects in the Stop & Shop case rigged a PIN terminal to collect card data, “what they did would be detectable in the [PCI PED-compliant] devices,” he said.
Separately from PCI PED, Visa announced last December that merchant banks will be required to validate that large merchants (above 1 million annual transactions) are in compliance with PIN security standards.
In addition, Visa, in its Payment Applications Best Practices program, has established minimum standards to ensure that POS payment applications are securely coded and do not retain the full contents of “track data,” the data located within the magnetic stripe on the back of a Visa card. Certain data is prohibited from being retained (see story, this page). Some payment systems store this data by default.
The TJX breach falls into the realm of the broader Payment Card Industry Data Security Standard. The PCI DSS is managed by the PCI Security Standards Council, created last year by Visa, MasterCard, Discover, American Express and JCB.
PCI PED is currently administered separately from PCI DSS, though in recent months “the associations supporting both standards have acknowledged publicly that they should in fact be linked, but have not provided any formal guidance as to how or when,” said Bartolik.
PCI DSS comprises 12 steps that fall into the following categories: build and maintain a secure network; protect cardholder data; maintain a vulnerability management program; implement strong access control measures; regularly monitor and test networks; and maintain an information security policy. The standard also includes a prohibition against retaining all track data found in a card's magnetic stripe.
For retailers, compliance with PCI DSS is more strictly enforced than compliance with PCI PED. Whereas failure to comply with the latter may result in fines if there is a security breach, simply not being in compliance with PCI DSS will soon trigger fines. In 2006, Visa levied $4.6 million in fines, up from $3.4 million in 2005.
Nonetheless, just 36% of level 1 retailers, which process more than 6 million card transactions annually, comply with PCI DSS, Visa said. The compliance rate for level 2 retailers, which process between 1 million and 6 million annual card transactions, is 15%.
Visa imposes its fines on a retailer's bank, which can pass them on to the retailer. For example, under new Visa rules, banks that fail to get level 1 merchants to comply by Sept. 30 — or level 2 merchants to comply by year's end — risk fines of between $5,000 and $25,000 per month per retailer.
In addition, banks failing to confirm by March 31 that level 1 and 2 merchants are in compliance with magnetic-stripe data storage requirements may be fined up to $10,000 per month per retailer.
On the other hand, Visa has invested $20 million in incentives that will go to banks whose level 1 and 2 merchants do become compliant by Aug. 31.
Moreover, as of Oct. 31 banks that qualify for lower interchange rates will continue to receive them only for merchants that are in compliance.
The specter of PCI-related fines is spurring activity in the retail industry. Much of the increase in IT security budgets, noted NRF in its study last year, “is due in part to retailers trying to comply with payment card industry (PCI) data security standards.” A raft of vendors have stepped forward to help retailers meet these requirements.
Piggly Wiggly Carolina, Charleston, S.C., is adopting security technology from Cisco Systems, San Jose, that falls under the heading of PCI Solution for Retail. “As it is for many merchants, PCI compliance will continue to be an important initiative for us,” said Mike Bell, technical support manager for Piggly Wiggly Carolina, who is quoted in a case study posted on Cisco.com. “In addition to backing up systems, deploying software and synchronizing configurations, PCI compliance demands comprehensive network tracking and monitoring.”
According to the case study, Piggly Wiggly's IT staff uses the CiscoWorks LAN Management Solution, part of PCI Solution for Retail, to “quickly deploy security patches or new software to all 111 stores over the WAN.”
In addition, the IT staff “can confirm the running and start-up configurations on store systems every night,” the case study said. “In the morning, the staff scans a summary report to identify any out-of-synch systems and can quickly synchronize any systems that are identified.”
Piggly Wiggly can also compare the running or start-up configurations with industry benchmarks, such as standards from the Center for Internet Security.
Last year, Hannaford Bros., Scarborough, Maine, purchased NeXpose, from Rapid7, Boston, to perform network security scanning in compliance with the PCI DSS. The system is used to scan devices in Hannaford's networks and at the POS locations in its 158 stores. “NeXpose is extremely thorough in its compliance-checking against devices,” said David Fournier, senior information security analyst for Hannaford, in a statement.
In January, Rapid7 launched a PCI Compliance Portal to enable retailers to conduct security scans without installing software in-house.
Wild Oats Market, Boulder, Colo. (which is being acquired by Whole Foods Market) has been using log management software from LogRhythm, also based in Boulder, since last summer. The system helps retailers meet the PCI requirement to review logs of computer activity at least daily, particularly those computers that perform security functions.
In addition, the LogRhythm system sends out real-time alerts for suspicious activity, such as “if someone not authorized logs in 100 times to access data at 4 a.m.,” said Andy Grolnick, chief information officer, LogRhythm.
LogRhythm “easily satisfied the PCI audit requirements for log retention, review and analysis,” said Kevin Holestine, IT security and compliance, Wild Oats.
Encryption is another technology that can help satisfy PCI requirements. nCipher, a Cambridge, U.K.-based firm whose system manages the keys underlying encryption, has recently been working with an office supply retailer to encrypt data on store-based IBM AS/400 servers.
“Information in stores may stay there for an hour or a day, but it's vulnerable to theft,” said Richard Moulds, vice president, marketing, nCipher. With nCipher's system, a retailer's headquarters manages all of the keys governing encryption at the stores.
Top Five Vulnerabilities
To promote compliance with its own Cardholder Information Security Program (CISP) and the overall Payment Card Industry Data Security Standard (PCI DSS), Visa, San Francisco, has identified the top five vulnerabilities that can lead to credit card data security breaches.
Storage of the wrong data: In the normal course of business, the only data from a card's magnetic stripe that may be retained include: name, primary account number, expiration date and service code. Retailers should never store the card verification code or PIN verification value.
Missing or outdated security patches: All software updates or patches should be applied as soon as possible.
Vendor-supplied default settings and passwords: The settings and passwords supplied by vendors to simplify installation of hardware or software should be changed before a system is installed.
SQL Injection: A retailer's website that allows online shopping could be exploited by allowing illegitimate data to enter the system and get into the underlying SQL database. Any online payment application should validate the legitimacy of the input.
Unnecessary services on servers: Servers often have extra services and applications enabled by default. Unless they are used, these should be disabled or removed.