Information about http://www.verifone.com/about-us/PDF/WSJ_Credit-Falters_Apr_08.pdf

THE WALL STREET JOURNAL. TUESDAY, APRIL 29, 2008 …

Tags: april 29, breaches, cash register systems, credit card information, credit card security, dow jones, dow jones company, dow jones company inc, family dollar stores, family dollar stores inc, hannaford, jewett, joseph pereira, malicious software, okemo, private lines, private networks, security processors, verifone, wall street journal,
Pages: 1
Language: english
Created: Wed May 7 10:50:18 2008

Display cached document

Page 1

Credit-Card Security Falters
Industry Standard Joshua Jewett, information chief at
Family Dollar Stores Inc. in Charlotte, N.C.,
plans to beef up the cash register systems at
transmissions over internal private lines.
At Hannaford and Okemo, hackers
managed to install malicious software into
Hasn't Prevented about 2,500 of the company's stores by
August with more data encryption than
the companies' private networks to steal
credit-card information being transmitted to
Recent Breaches mandated by PCI. Both Hannaford and
Family Dollar are purchasing security
processors for approval.
"This kind of attack would not have been
systems from Verifone Holdings Inc. of San possible if the credit-card data had been
By JOSEPH PEREIRA
Jose, Calif. encrypted," says Avivah Litan, a security
Until two years ago, retailers faced a analyst for Gartner Inc. in Stamford, Conn.
Despite efforts by the credit-card industry
cacophony of security requirements, with Michael Cherry, an online-security con-
to force retailers to protect their customers'
each of the major credit-card brands-- sultant, says companies can encrypt credit-
data, several recent security breaches
including Visa Inc., MasterCard Inc. and card data at cash registers, which PCI
suggest that current requirements aren't American Express Co.--issuing their own
enough. doesn't require, at minimal cost. "You can
set of standards. Then the credit-card in- be worry free for less than $100 per cash
Hannaford Bros., a unit of Belgium's Del- dustry established PCI, and consolidated the
haize Group SA, says it received a certifi- register," says Mr. Cherry.
best data security practices into a single, Two companies that provide such tech-
cate on Feb. 27 stating it was fully com- unified code.
pliant with the credit-card industry's secu- nology--called personal identification
The compilation, called PCI Data Security number pad encryption--are courting new
rity protocols. But that same day, the New Standards, requires such things as en-
England supermarket chain was informed customers, playing up Hannaford and
crypting or masking customer data, regu- Okemo's vulnerabilities.
by its card-transaction processor that there larly updating antivirus software, re-
appeared to be a problem with its cus- Verifone Holdings is promoting its
stricting access to card data to only certain VeriShield system, which was purchased by
tomers' credit-card accounts. The chain authorized personnel and protecting stored
soon learned that data for 4.2 million cards Family Dollar. A similar product, called
information with firewalls, among other MagneSafe, is offered by MagTek Inc., of
may have been stolen. things.
Until now, most known retail-data Carson, Calif.
Retailers that fail to meet the require-
breaches occurred at companies that failed Rob Caulfield, chief executive of Trust-
ments are subject to fines.
to comply with steps mandated by a credit- Commerce, an Irvine, Calif., credit-data
In January, Visa announced that 77% of
card industry group called the Payment processor that works with MagTek's clients,
its largest U.S. merchants became PCI
Card Industry Security Standards Council, says he knows of about two dozen retailers
compliant in 2007, up from 12% in 2006.
or PCI, in Wakefield, Mass. The Hannaford currently using MagTek encryption and
Compliance among midsize merchants grew
attack--and another disclosed last month at about 300 others that "are queuing up to
to 62% last year from 15% the year before.
Okemo Mountain Resort, a ski operator in Credit card-related fraud grew to $5.49 become clients."
Vermont--has prompted retailers to seek billion in 2007 from $1.46 billion in 1997, Meanwhile, PCI has been upgrading its
security systems well beyond PCI stan- according to industry tracker Nilson Report. requirements for retailers as more informa-
dards. Law-enforcement officials attribute the rise tion about vulnerabilities is gleaned from
Hannaford last week announced the adop- to new technological applications as well as data breaches. In February, PCI required
tion of two such measures. The company increased participation by international merchants to ensure that PIN pads are
installed a round-the-clock security moni- organized-crime groups. tamper proof and their credit-card data are
toring-and-detection service provided by Bob Russo, PCI's general manager, says rendered useless if they are opened. The
International Business Machines Corp. to PCI believes its standards--derived with requirement follows a theft last year where
track all user log-ins. The chain has also input from more than 500 data-security thieves stole PIN pads from Dutch retailer
begun to encrypt all its customer card infor- specialists--are adequate, but he adds that Royal Ahold NV's Stop & Shop stores in the
mation immediately from the time the card PCI is still awaiting the results of investiga- Northeast U.S. and accessed customers'
is swiped at the cash register, so that data is tions into the Hannaford and Okemo debit-card passwords.
scrambled all the way to the company's breaches. "If there is something that's As of June 30, retailers must install fire-
corporate servers, from where it is sent to lacking in the standards, then we'll address walls that prevent hackers from accessing
the credit-card company. "PCI is a good it immediately," he says. internal company files through software
place to start but retailers are going to have In both the Hannaford and Okemo heists, programs that are exposed to the Internet,
to go above and beyond PCI," said Bill hackers attacked an area that previously such as applications that handle online
Homa, Hannaford's chief information had been thought impenetrable--a com- credit-card transactions. PCI also plans to
officer. pany's private internal computer network. toughen its standards in September in the
Says Bonnie MacPherson, a spokes- Many previous breaches involved wireless areas of wireless transmissions, card-preau-
woman for the ski resort, which lost card network systems. thorization procedures and software applica-
data for nearly 50,000 customers, "We did PCI mandates that all transaction data tions that handle credit-card data. "From all
everything we were supposed to." The sent over networks that are publicly acces- the data breaches we've seen, we're quickly
company says it doesn't know whether the sible--such as in coffee shops--be learning that the point-of-sale is our weakest
breach resulted in any theft. encrypted, but it doesn't require that for spot in the payment chain," says Mr. Russo.

THE PUBLISHER ' S SALE OF THIS REPRINT DOES NOT CONSTITUTE OR IMPLY ANY ENDORSEMENT OR SPONSORSHIP OF ANY PRODUCT, SERVICE, COMPANY OR ORGANIZATION.
Custom Reprints (609)520-4331 P.O. Box 300 Princeton, N.J. 08543-0300. DO NOT EDIT OR ALTER REPRINT�/REPRODUCTIONS NOT PERMITTED
�