Hackers Test Card Security

CU360
June 5, 2009 | COMMENTS

The growing sophistication of data breaches by hackers is fueling a debate over the effectiveness of the credit card industry's security standards for safeguarding customer data.

All merchants that handle credit and debit card data are required to show they've met the payment card industry's data security standards—a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access. But some of the most notable data breaches last year targeted companies that recently had been certified as compliant with those standards. This raises the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification.

In a recent House subcommittee hearing on the standards, representatives from the retail sector charged that the standards are only a tool to shift risk off the banks and credit card companies' balance sheets, reports The Washington Post.

“The payment card industry's premise—that millions of retail establishments will keep pace with the ever-evolving sophistication of today's professional hackers—is just not realistic,” says David Hogan, of the National Retail Federation. Merchants and retailers that experience a breach and later are found to be out of compliance with the standards face steep fines from the credit card companies, and eventually may be forced to reimburse financial institutions for the costs of reissuing compromised cards.

Retailers that digitally store cardholder data are required to encrypt the information. But the standards don't require merchants to encrypt data as it travels over their internal, private networks. This became an issue last summer when hackers broke into the internal network of Heartland Payment Systems, a major credit card processor in Princeton, N.J. In that attack, the thieves siphoned card data by installing software that watched for and recorded card data as it was sent unencrypted over the company's internal processing networks.

In 75% of confirmed breaches investigated last year, the victims weren't compliant with the standards or never had been audited, according to a 2009 study by Verizon Business. Another 19% were found to be compliant only during their las t assessment. Verizon also found a common reason among businesses that weren't compliant with the standards was they failed to monitor all their network resources or regularly test security systems and processes.

Regardless of the methods the attackers used, the most important protection businesses can have in place is the ability to detect breaches quickly after they happen, Bryan Sartin, vice president at Verizon Business, told the Post.

“If there's anything to be learned from a company that has been through a big breach, it's the importance of the ability to react to the underpinnings of a breach before it blows up and becomes a major problem,” Sartin said.