Target Gets Targeted By Data Thieves – But What About PCI Compliance?
Target Corp. announced today that it was the victim of a large scale data theft involving up to 40 million credit and debit card accounts. The theft reportedly occurred between Nov 27th and December 15th, and the thefts occurred at the store level and did not affect online transactions. Black Friday marks the beginning of the busiest time of year for most retailers. Target immediately notified law enforcement and regulatory authorities and financial institutions as soon as it discovered the theft, and has engaged a private security and forensic firm to investigate the incident as well as to prevent another incursion that might lead to another data theft. Target has 1,797 Stores in the United States.
I must admit that I am a frequent shopper, and Target is one of my favorite stores. I eagerly humiliated myself at 12AM on “Black Friday” in order to purchase an iPad Air for $499. It is very likely that I had my personal credit card data compromised along with approximately 39.999 million other Target shoppers. Shopaholic that I am I also had multiple credit cards affected by the TJ Maxx data theft of 2007. The cost to myself and other consumers affected is mostly limited to experiencing varying degrees of inconvenience.
How does something like this happen to a sophisticated retailer like Target, and where does that leave other smaller companies with less sophistication and resources? Isn’t PCI Compliance required, and shouldn’t that be enough to protect credit card holders? For those of you not familiar, PCI is a security standard that was established by the PCI Security Standards Council, which is a group that was founded by all the major credit card players to address cardholder account security concerns across the credit card industry. The goal of the PCI DSS Standard is to protect cardholder information. There are 12 principles and 253 detailed requirements that cover not only network security, but also security management, policies, procedures, network design, software, and a number of other protective measures.
So what happened at Target? No doubt Target is employing a robust private network using MPLS technology, with a large staff of auditors and other folks concerned with maintaining PCI Compliance. Under PCI DSS, all systems and networks that store, process, or transmit cardholder information must be compliant and is said to be “in scope” and subject to PCI audits and controls. The problem is that Target is a huge organization with tens of thousands of devices and network endpoints and people, who are fallible and do not always adhere to or understand procedures. The “in scope” networks can interface with “out of scope” networks and present opportunities for criminals. Most intrusions that occur are small and opportunistic in nature, but other network intrusions like TJ Maxx and Target require more planning and sophistication to pull off. The bottom line is that the human element often plays a major role in data intrusions, and something is learned each time a theft occurs.
An event like this raises awareness of the potential vulnerabilities of large private data networks. In the near future we will do a blog post that takes a deeper dive into how MPLS can play a large role in preventing this sort of event from happening.