According to the pre-forensics news, the breach was a result of malicious software installed on Point of Sale (POS) devices in a significant number (potentially all) of their locations across the US.
The thieves were apparently able steal not only the card numbers, but the track data and the PIN numbers as well, suggesting that the breach involved ‘sniffing’ the information off the wire. This data was obviously unencrypted from the point of swipe, suggesting also that the PEDs / terminals are either not configured to do so, or are older models not capable of doing so.
Of course, this is all speculation, and it may be as simple as a concerted attack with skimming devices, but 40 MILLION cards lost at so many locations certainly suggests something more centralised, and far more fundamental.
Once the fuss dies down, there will be the inevitable ‘blame storming’ questions. For example:
- How did this happen if they were PCI compliant?
- Who was their QSA, and how did they miss something so major?
- Why are we still using credit cards when they are so insecure?
…and so on.
The first one is easy, and anyone who STILL thinks PCI compliance means that they were secure knows nothing about PCI, and even less about security. More detail in my blog Stop Confusing PCI Compliance With Actual Security. As a corollary, there are many QSAs who think that PCI compliance is enough, and either don’t even try to help their clients toward a proper security posture, or assume PCI is about compliance in the first place. They should, and it’s not, respectively.
PCI compliance was only introduced to try to prevent things like the Target breach from happening, do you really think the cards brands care about actual compliance itself if it means credit card data is still vulnerable?
As for the second, the name of the QSA will no doubt come out in time, but blaming THEM for not doing their job properly is like blaming a single doctor for not curing all the world’s illnesses, it simply does not work that way. To any QSA company who tries to use this breach to bad mouth either the incumbent QSA company, or the QSA assessors, I say they had better have their own house 100% in order, because what goes around, comes around.
No QSA can EVER have the depth or breadth of knowledge of an organisation the size and complexity of Target and be able to determine 100% compliance, not when sampling and point-in-time validation are part and parcel of the assessment process.
As for the third one, that’s a question for the ages, and beyond the scope of this blog. I don’t like credit cards, as the majority of my blogs will attest, but they are going to be around for a while, so we had better come up with a better way of protecting them than compliance to the PCI DSS can ever provide.
For a start, does Target need to accept credit card payment themselves? Are home grown payment applications and systems core to their business? The answer to both is no, they are in business to sell things, that’s all, payments are just the MEANS to that end. Simplify, and/or outsource that function to an organisation that specialises in it, or at least consider the possibility.
Eventually credit cards will go away, but the need to properly authenticate a payment, and protect personal data will not. PCI does not get ANY organisation where it needs to be, and if you want to blame anyone for this breach, look no further than Target, they are the ones with all the cards in their hands, not the QSA.
Update 20-Dec-13: In case my words above are unclear, I am VERY much against blaming QSAs for breaches when there is so much wrong with both the assessment process, and the standard itself. Yes, there are some crappy QSAs, but I seriously doubt this was something Target’s QSA missed. This was most likely a very sophisticated attack that even a security posture far above PCI compliance would have been able to stop.
Also, to whomever tried to post the name of the QSA as an employee OF that QSA, there is nothing I have seen in my career that is more unprofessional or more lacking in integrity. You are a coward.