Industry View: Target Breach Is a Wake-Up Call
The massive data breach suffered by Target last December continues to be a sobering wake-up call for every business that accepts credit and debit cards for payment, including convenience store and gas station operators. The financial impact on Target won’t be fully known for months or even years, but the damage to its reputation may be even more serious. With more than 70 million Target customers affected, how many shoppers nationwide are still wondering, “Is it safe to shop at Target?”
The petroleum/convenience store industry cannot afford to postpone taking action to improve data security. I called attention to the industry’s unique vulnerabilities in the April and June 2010 issues of this publication, but very little has been done to ensure customer safety and prevent the kind of financial and reputational damage Target is now facing.
And how do I know what Target is facing? In 2008, my company was the target of one of the largest security breaches ever. At the time, we thought we were doing a great job protecting our customers’ data, given that we were operating at or above industry standards. The hackers found a way in—and that breach almost put us out of business and cost us more than $140 million.
The simultaneous three-part solution I proposed for the petro industry (and every other industry) four years ago is still the best solution available, so let’s review.
Part One: EMV
The first step is called EMV (for Europay, MasterCard and Visa), or chip cards that help fight fraud at the physical point of sale by verifying that the presented card is genuine. The smart-card chip contains dynamic data that is validated in a more secure manner than the static data of a magnetic stripe. The data is always changing, which makes the card data harder to counterfeit. In the wake of the Target breach, Visa and MasterCard announced they would lead an industrywide group to focus on universal implementation of EMV. The intent is to make debit and credit cards safer by storing personal information on computer chips rather than magnetic stripes. Visa and MasterCard have announced schedules for shifting fraud liability to merchants who do not incorporate EMV capabilities: October 2017 for pay-at-the-pump (PATP) locations.
This is a good first step. Unfortunately, it is not enough to prevent future attacks by sophisticated hackers. No single countermeasure is enough. To have the best chance of preventing what happened to us—and Target—a three-part process implemented and working in tandem is needed. For instance, EMV would not have prevented the problem for Target because the theft occurred as a result of malware in the POS that interfaces Target’s signature pad payment devices. The malware was stealing data from credit-card magnetic stripes before the POS host computer could encrypt it.
Part Two: E3
A major critical step in safeguarding your data is deploying end-to-end encryption, or E3 for short. (E3 is a trademark of Heartland Payment Systems.) With E3, a card’s data is virtually never in a readable form. From the moment it is swiped, through authorization, card data is always protected and never in a form that can be read outside of the processing system. But the important point here is encryption from end to end. When the data becomes decrypted at any point in the process, it is vulnerable to theft. Unfortunately, the sensitive data must be decrypted and re-encrypted with different keys along the path. This process must take place in a hardware security module (HSM), much as PINs are processed at ATMs.