Target Breach: What Does This Say About Their QSA?

According to the pre-forensics news, the breach was a result of malicious software installed on Point of Sale (POS) devices in a significant number (potentially all) of their locations across the US.

The thieves were apparently able steal not only the card numbers, but the track data and the PIN numbers as well, suggesting that the breach involved ‘sniffing’ the information off the wire. This data was obviously unencrypted from the point of swipe, suggesting also that the PEDs / terminals are either not configured to do so, or areĀ older models not capable of doing so.

Of course, this is all speculation, and it may be as simple as a concerted attack with skimming devices, but 40 MILLION cards lost at so many locations certainly suggests something more centralised, and far more fundamental.

Once the fuss dies down, there will be the inevitable ‘blame storming’ questions. For example:

  1. How did this happen if they were PCI compliant?
    o
  2. Who was their QSA, and how did they miss something so major?
    o
  3. Why are we still using credit cards when they are so insecure?

…and so on.

The first one is easy, and anyone who STILL thinks PCI compliance means that they were secure knows nothing about PCI, and even less about security. More detail in my blogĀ Stop Confusing PCI Compliance With Actual Security. As a corollary, there are many QSAs who think that PCI compliance is enough, and either don’t even try to help their clients toward a proper security posture, or assume PCI is about compliance in the first place. They should, and it’s not, respectively.

PCI compliance was only introduced to try to prevent things like the Target breach from happening, do you really think the cards brands care about actual compliance itself if it means credit card data is still vulnerable?

As for the second, the name of the QSA will no doubt come out in time, but blaming THEM for not doing their job properly is like blaming a single doctor for not curing all the world’s illnesses, it simply does not work that way. To any QSA company who tries to use this breach to bad mouth either the incumbent QSA company, or the QSA assessors, I say they had better have their own house 100% in order, because what goes around, comes around.

No QSA can EVER have the depth or breadth of knowledge of an organisation the size and complexity of Target and be able to determine 100% compliance, not when sampling and point-in-time validation are part and parcel of the assessment process.

As for the third one, that’s a question for the ages, and beyond the scope of this blog. I don’t like credit cards, as the majority of my blogs will attest, but they are going to be around for a while, so we had better come up with a better way of protecting them than compliance to the PCI DSS can ever provide.

For a start, does Target need to accept credit card payment themselves? Are home grown payment applications and systems core to their business? The answer to both is no, they are in business to sell things, that’s all, payments are just the MEANS to that end. Simplify, and/or outsource that function to an organisation that specialises in it, or at least consider the possibility.

Eventually credit cards will go away, but the need to properly authenticate a payment, and protect personal data will not. PCI does not get ANY organisation where it needs to be, and if you want to blame anyone for this breach, look no further than Target, they are the ones with all the cards in their hands, not the QSA.

====================

Update 20-Dec-13: In case my words above are unclear, I am VERY much against blaming QSAs for breaches when there is so much wrong with both the assessment process, and the standard itself. Yes, there are some crappy QSAs, but I seriously doubt this was something Target’s QSA missed. This was most likely a very sophisticated attack that even a security posture far above PCI compliance would have been able to stop.

Also, to whomever tried to post the name of the QSA as an employee OF that QSA, there is nothing I have seen in my career that is more unprofessional or more lacking in integrity. You are a coward.

4 thoughts on “Target Breach: What Does This Say About Their QSA?

  1. Has the QSA behind the Target breach been revealed? It seems like that is still not determined but should be made public as it can impact any other company that is also using that QSA. Thanks for the great article.

    • Revealed? Not to my knowledge, and I think it should remain that way if the final forensics report absolves them of any ‘blame’.

      There is nothing to be gained from exposing the QSA, except to provide fodder for the QSA companies, and individuals with no integrity, to point fingers.

      The issue with PCI is the standard itself, that’s where we should be focusing.

      • I totall disagree. You can’t exorerate the QSA without knowing more, as they probably bear some responsibility here, even if they are not liable for damages caused by the breach. After all, if the QSA is not on the line *at all* why have QSAs do third party attestation if they have absolutely no skin in the game? The point of going with a trusted QSA is that there name and reputation ARE out there. And I have seen QSAs who sign off on ROCs where they don’t really undertstand the architecture and do a shoddy job of asking questions. I do agree that this QSA MAY have done a fine job but it’s more likely that they did not fully understand how this home-built app was encypting the CHD (if it was at all…we can hope) and the hackers exploited some weakness there. Unlikely that Target willfully misled them or changed systems mid-audit.

      • Thank you for your comments Leigh, but I cannot but disagree. Yes, there are some / many crappy QSAs, but if you think ANY QSA is going to be able to fully understand everything there is to know about an organisation the size and complexity of Target, you have probably never been on the QSA side of things. You may know PCI from the receiving end, but until you know it inside out and backwards like and experienced QSA, you cannot understand the limitations they are forced to adopt.

        I happen to know Target’s QSA, and I can assure you he did a fine job given the circumstances.

        1. PCI compliance is not security, it’s a point in time assessment based on a sample of systems. 2. Target and large retail in general is massively complex and sustains significant change to stay competitive. While they SHOULD simplify their processes to stay more secure they were never NOT going to be a target for the bad guys.

        The problem here is not with the QSA, or Target, or even the DSS for that matter, the problem is that people can’t see beyond credit card as a non-cash payment method. It’s the card that need to go away.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.