assess compliance to the PCI DSS
standard. The suit claims Trustwave
found Target to be in compliance with
PCI standards last September, two
months before the attack, without find-ing any vulnerabilities with the way Target
handled card data.
“This is a trend that will continue, given the costs of
a breach,” Taylor said. “But I don’t believe the banks will have
standing, as their agreements with card brands outline their
cost recovery in such an event.” Rather, Taylor said, the real
blame should point to the card companies.
“The product is designed by the cards — not by banks or
merchants … I would suggest that, like any other product, the
product manufacturer would be liable. But [instead], the victim (in this case Target) gets punished.”
HOUSE OF CARDS
The PCI Security Standards Council (PCI SSC), comprised of
CHIP ON THEIR SHOULDER
the major credit card companies, wouldn’t comment specifi-
cally on the Target breach, only to clarify the organization’s fo-
cus. “The Council’s role is to develop and maintain standards,”
said Bob Russo, general manager of the
PCI SSC, in an email. “Compliance is a
separate matter and is managed by card
brands and acquiring bank partners.”
Therein lies the problem, Taylor said.
“PCI emphasizes the wrong thing: compliance.
We don’t care about compliance, we’re focusing on
risk mitigation. The card brands are still focused on cre-
ating clean environments for card transactions but you can’t
have that in an Internet society. Target proved you can’t have
a clean environment.”
A major security-inspired fix is already underway, as the industry moves toward EMV adoption (See “A Chip on Their
Shoulder” in the September 2012 issue of NACS Magazine).
However, the process is slow with its own vulnerabilities. “
Europe went through [the EMV transition] and it still took them
10 years,” said Paige Anderson, director of government relations for NACS. “So it will take a decade to have everything up
and operational, but by that time, we’ll all be using our mobile
devices for payment.” Recall that EMV — a standard for credit