Payment Security Lessons from the Target Breach
The trouble just keeps growing for Target, who announced that the number of customers affected by their recent security breach could be almost 3x what they originally estimated. In a statement made today, the company said:
As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach[…]This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.
This could mean one of two things. Either more personal information was leaked from the originally compromised data, or up to 70 million more people were affected but their credit card information was not compromised. Neither scenario is good.
Target already took a significant hit to their sales during the holiday season—so much so that they also announced today that they will be closing 8 of their stores in 2014. A security breach can be a difficult thing for a company to recover from, even for a big box giant like Target.
Perhaps the only silver lining is that this breach has brought more attention to the switch from the archaic magnetic strip (the type of card compromised in the Target breach) to the chip-and-pin technology widely used throughout much of the world. The downside? Businesses are not required to adopt payment acceptance for this technology on a large scale until October 2015. In a recent interview with Reuters, our Chief Security Officer, Rush Taggart, addressed this inadequacy with a sentiment we’re sure Target would agree with—this should have happened years ago.
Additionally, PCI 3.0 will be taking affect at the end of 2014. The new standards will be stricter and will require companies to be more vigilant with checking all of their systems to ensure they haven’t experienced any breaches of security. While stricter compliance rules benefit everyone, it can make it harder on businesses. PCI audits can get expensive and the man hours sunk into staying compliant can really add up.
Rush said it best when he spoke to the Wall Street Journal a few weeks ago:
“What ultimately is the answer for merchants is to minimize or eliminate the problem of PCI compliance. The tokenization of cardholder data goes a long way to doing that, and using compliance service providers will be a major aspect of it going out from 2014 into 2015. Aggressively migrating to chip-and-pin and a point-to-point encryption-compliant solution is the only way out for merchants.”
Although technology won’t be up to speed for about two years, there are still important things merchants can do to protect their customers from potential identity theft.
- Point-to-Point Encryption: P2PE encrypts card data at the time of collection to ensure the sensitive data is safe.
- Tokenization: Converting encrypted credit card numbers to tokens is the ultimate security standard. While encryption is reversible, tokenization is not because there is no pattern.
- Storing data off-site: If your company only ever deals with tokens and uses a product like CardSecure™ to store your sensitive data, you’ll remove your business systems from PCI compliance scope entirely.