Bits & Bytes
Target on Our Back
Much has been written about the Target and associated breaches that occurred late last year. Out of
the din, a public call for new liabilities for breached
merchants has emerged.
Few articles have reported the facts: that Target
was PCI compliant, that the malware used was
undetectable to current antivirus software and the
thieves gained access to Target’s systems through
credentials stolen from an HVAC vendor. In fact,
Target did most things right — as prescribed by
PCI and best practice risk mitigation — yet still
Target is every much a victim of this crime, as are
the cardholders and issuers who will have to clean
up the tens of thousands of card accounts stolen
in the breach. But the data was lifted off of their IT
infrastructure, and tag, they’re “it.”
Perhaps the real crime here is the popular notion
that we can create and maintain “clean” data
networks and use signature authentication. To
keep this belief going forward is an act of criminal
recidivism, a dangerous fool’s errand. Target proves
that the fundamental design of card payments is
deeply flawed in that all breached cards shared one
attribute — signature authentication instead of PIN.
And signature is the sole creation of the credit card
brands — not banks, not merchants.
The membership of PCATS cannot unilaterally
change the pervasive flaws of the card payment system; only the recognition by the whole of society can
affect that. However, PCATS has, through its work
in national standards groups like X9 and within
our industry, developed standards and operational
guides that reduce risk in this flawed system.
Going forward, PCATS will play a vibrant role
in shaping policy around payments, in partnership
with NACS. You, the retailer, have a forum from
which to change the costs and risks associated
with payments. A good place to start is at this year’s
PCATS Annual Conference in Tucson, Arizona,
April 28 through May 1, where we will focus on what
needs to be fixed to ensure security of our payment
system (register at www.pcats.org).
Without these efforts, it is our industry that has
the target on our back …
Gray Taylor is the executive director of PCATS. He can
be reached at email@example.com or (512) 508-3469.
Visit us at pcats.org
right — as
yet still was