Let’s start off with why we are publishing this blog. First, SecureState is a Qualified Security Assessor (QSA), which means that we can attest to the controls standard created by the Payment Card Industry (PCI).
Second, SecureState is one of only 11 Payment Card Industry Forensics Investigators (PFI), in the United States, which means we are the trusted source by the payment brands when breaches happen involving credit card information.
Target stores, process or transmit cardholder data (CHD), therefore Target must be PCI compliant. Compliance for an organization of this stature is rigorous, involving more than 220 controls that have to be implemented to prevent a data breach. Target is also required to hire a QSA company annually, to audit those controls and attest that the organization is maintaining compliance throughout the review cycle.
Target accepts credit cards in a variety of methods, including in-store via card swipes, through their website (on-line) and via phone (customer service). Each area is in scope for PCI and needs to comply with PCI standards.
The Breach Point
It appears that hackers were able to steal CHD from the point of sale systems (POS) and or the card swipes. Based on information obtained, it appears that target uses a custom developed application (by Target) to perform in-store transactions. In addition to PCI standards, Target may also be required to comply with the Payment Application Data Security Standard (PA-DSS), which is specifically tailored to secure card swipes or POS terminals. PCI has a listed of certified applications that follow this standard posted on their website, Target’s custom developed solution is not listed. This is not surprising since based on the guidelines a custom developed application does not need to be certified.
How Easy is it?
For a hacker to be able to infiltrate Target’s network and access the POS application several PCI-DSS and PA-DSS controls must not have been implemented effectively. Thus, Target was not compliant during the time of the breach.
How can I be so sure? Well as stated above we handle these investigations for the Payment Card Brands (PCB) and in all of the investigations we performed the merchant was not compliant to PCI-DSS controls during a breach.
It’s not easy for an attacker to bypass these controls, access a secure POS, and steal 40 million records. Therefore, the hack was either very sophisticated or Target lacked basic controls to prevent it.
What are they doing about it?
Target’s first step is to contain the breach, to ensure that the compromised systems cannot access other systems or applications that involve credit card processing. Target is stating that the on-line transactions are secured, thus they have taken the necessary steps to prevent the on-line website from being compromised.
The second step is to stop the breach or eradicate the environment to prevent additional losses of credit cards and/or personally identifiable information (PII).
The third step is to secure the systems so future attacks are prevented. This is a time sensitive process and is usually done within 45 days of a breach.
The fourth step is the not so fun step, analyzing all the data involved and determining what actually happened. For the Hartland Breach, this took over a year and added up to a cost of $250 million.
Over the course of the investigation, there will be a lot of finger pointing as to the cause of the breach. If a QSA company attested to the compliance for Target, their work papers will be scrutinized to determine if the QSA should have discovered any issues with their compliance program, and whether or not the QSA should have signed off on their compliance. This will also include the POS systems, and whether the QSA should have required more rigorous review of the card swipes at their 1,400 plus locations.
How the breach was determined will be a key component to the investigation, did Target alert the Payment Card Brands or did the Secret Service know about the breach before Target?
Breaches are unfortunately becoming a common reality, however if a company is aware of the breach, they generally have good monitoring over the environment and can respond effectively.
Target has a good response strategy for this breach. They are offering information, working with authorities, contracted with a PFI company and have setup an 800 number for customers to help with any fraudulent transactions. In the weeks ahead Target needs to continue to provide this transparency and continue to work with their customers to provide support and guidance.
As with all breach involving PII and CHD consumers should be aware of their credit reports, recent credit card transactions, and be very suspicious of possible phishing e-mails impersonating Target. Since debit card pins were also compromised, now would be a good time to change yours.
In my latest installment of State of Security, I issued a warning about potential breach’s around the holiday season, now is the time to actively look at your security posture so you are not the next Target.