Breaches Make a Mockery of PCI Security Standards

The restaurant-slash-arcade-slash-bar Dave & Buster’s is the latest U.S. outlet to suffer a breach of its credit card processing system.

Hackers based in Ukraine and Estonia — assisted by a guy in Miami — installed packet sniffer malware at the point of sale systems in several D&B outlets, which siphoned off “Track 2” data as the information was being transmitted over the company’s network from the point of sale server to a data processor’s server, the U.S. Department of Justice said.

Track 2 on a card’s magnetic stripe contains the credit card number and expiration date, but no personally identifiable information.

At one restaurant, the packet sniffer captured 5,000 credit and debit card numbers, which were used to make US$600,000 in fraudulent purchases.

Relatively Small Breach

The scale of the breach is relatively small, at least at this point in the investigation. The Justice Department says the packet sniffer was installed at 11 locations, so a little simple math would tell us that 55,000 cards were compromised for a total fraud of about $6.6 million, assuming the one store for which the government provided figures is a good indication.

The grocery chain Hannaford ultimately determined that malware was to blame for its data breach, which came to light a few months ago. In that case, 4.2 million credit card numbers were compromised.

In the largest breach to date, TJX — the parent of Marshall’s and T.J. Maxx — had to pay nearly $45 million to MasterCard and Visa to reimburse those companies for the costs of the breach, which resulted in the exposure of 45.7 million customers’ card numbers.

Look for an Increase

Of course, in both the Hannaford and TJX cases, the initial estimates of the number of accounts compromised were tiny in comparison to the final figures, so stay tuned and watch the numbers go up in this case.

All three of these companies — Dave & Buster’s, Hannaford and TJX — are large corporations with big IT departments and their own armies of lawyers. All are subject to the Payment Card Industry Data Security Standard, a dozen requirements that mandate a level of security in processing credit card payments.

The standard is administered by a consortium of credit card issuers, including MasterCard, Visa and American Express. Outlets that are found to be out of compliance can lose their ability to process credit and debit payments, or they can be fined.

Hannaford, for one, stated specifically that it had been in compliance with PCI standards at the time its breach happened.

New Standard Needed

PCI is a fairly basic set of rules that anyone who’s going to be handling other people’s credit card data should follow — whether or not there’s a standard in place. Its provisions include maintaining a firewall and unique user names for everyone who accesses the system, for example.

Perhaps it’s time for a PCI upgrade. Criminals are getting smarter and craftier, and the people who try to prevent criminals from committing crimes need to be just as agile.

The PCI standards are getting a bit stale, Jim Dempsey, vice president for public policy for the Washington-based Center for Democracy and Technology, told the E-Commerce Times in March.

“[The Hannaford case] certainly illustrates that, and I can’t blame the credit card industry,” Dempsey commented. “I think they did the right thing. They developed a set of standards that seemed appropriate at the time and did serve undeniably to raise the bar. Now, though, as part of the normal security cycle — and you need to think of it as a cycle — the credit card companies, the issuing banks and the merchants need to reassess [and] basically issue a revised and strengthened standard.”

It sure beats paying for credit monitoring for millions of your customers.