PCI Breaches Keep Coming Despite Increased PCI DSS Requirements

In this electronic age, most of us worry about privacy. We all have information which we don’t want to get into the wrong hands. Some say if you don’t do anything wrong, privacy shouldn’t be a concern, but of course that isn’t true. It’s not just tales of indiscretions that we want to keep secret; it’s also the personal identifying information that an unscrupulous person could use to impersonate us and destroy our financial standings. Credit and debit card data is right there at the top of the list of items we worry about protecting.

It’s not an unrealistic concern. It seems as if a new payment card breach appears in the news on an all-too-regular basis. From discount retailer Target to high end store Neiman Marcus, major companies consumers have entrusted with their cards are reporting that their customers’ data has been or might have been disclosed or stolen.

It doesn’t seem to matter much whether you do your shopping in the bricks and mortar world or in cyberspace. Smaller or more obscure companies aren’t immune, either. Earlier this year, over five thousand online shoppers were identified as affected when an Illinois-based publisher, Sourcebooks, found that criminals had exploited a vulnerability in their shopping cart software.

The Sourcebooks sites were compromised for over two months, between April 16 and June 19 of this year. Software used to implement e-commerce transactions can be just as vulnerable to coding flaws that can be exploited by an attacker as any other type of program – but when it happens on an e-commerce site server, it puts hundreds or thousands of unsuspecting customers at risk. Of course, because of the nature of the data and the potential payoff, the bad guys find shopping cart software to be a very attractive target. Another problem is that this type of software tends to be pretty complex so there are plenty of opportunities for security holes to occur.

It’s scary to think that your name, address, phone number, card numbers, account passwords, expiration  dates and even the verification values designed to ensure physical possession of the card have all been misappropriated and could end up being sold on the black market to ID fraudsters.

It’s not as if attempts haven’t been made to prevent such breaches. Obviously those involved – the individual victims, the banks issuing the cards, and the payment card industry as a whole – have a vested interest in addressing the problem. That’s why the PCI Security Standards Council (SSC) developed industry-wide guidelines for securing this type of sensitive information. The PCI Data Security Standards (PCI DSS) is now in its third iteration (PCI DSS 3.0) and the current version outlines almost 400 requirements (in comparison to 289 imposed by PCI DSS 2.0).

Sourcebooks announced that following the breach, they were putting into effect new security measures in accordance with PCI DSS. They also threw customers a small message of comfort, saying that “to our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card Verification Data (CVD).”

Meanwhile, Office Supply giant Staples has been investigating a possible breach, because some banks noticed suspicious purchases on their customers’ cards for items from Staples stores in the northeastern United States.

You can find a wealth of information about PCI breaches and standards in Verizon’s 2014 PCI compliance report.