Is PCI Effectively Preventing Fraud?

Experts: Grocer's Card Compromise Highlights PCI Gaps
Is PCI Effectively Preventing Fraud?
The exposure of debit and credit card details at a California-based grocery chain has raised questions about the efficacy of - and retailers' compliance with - the Payment Card Industry Data Security Standard.

Modesto-based Save Mart Supermarkets issued a consumer advisory about card-reader breaches at 20 of its stores. [See Fraud Scheme Hits Grocer.]

The source of compromise: self-service checkout lanes. Like pay-at-the-pump gas terminals and ATMs, self-service payment terminals are easy targets for fraudsters.

Lachlan Gunn, who heads up the European ATM Security Team, says POS skimming in retail is a growing concern in Europe as well. "Skimming at unattended self-service terminals has been fairly widely reported at petrol stations, railway ticket machines and parking ticket machines," he says.

Fraudsters typically compromise card readers and PIN pads via two methods. One method uses a physical overlay that skims card details while a nearby camera captures PINs as they're entered on the PIN pad. The other method requires the attacker to replace the PIN pad with one that's been manipulated to record details or compromise the PIN pad by opening it and adding chips that record or wirelessly transmit details as their entered.

According to Save Mart's website, tampered card-readers at self-service checkout lanes in 19 Lucky Supermarkets locations and one Save Mart store were discovered during routine maintenance. When the tampering occurred and the type of device or method used to compromise the terminals was not explained. But Save Mart says it has replaced readers on all of the affected terminals and has added additional security to POS card readers in all of its 234 locations soon after the tampering was discovered.

McAfee consultant Robert Siciliano says most retailers fail to focus on real-world security threats, like skimming. "Merchants are spending their energy just barely being [PCI] compliant, but far too many aren't even that," he says.

PCI PTS: A Hollow Solution?

Andrew Jamieson, technical manager with Witham Laboratories, an independent provider of information security evaluations and consulting to organizations throughout Asia-Pacific, says PCI-DSS compliance can protect card readers, if they aren't swapped. And full compliance with version 3.1 of the PCI PIN Transaction Security requirements, passed in May 2010 by the PCI Security Standards Council, likely would have prevented the Save Mart compromise. "If the data is being transmitted in the clear out of the device, compromise can occur," he says.

See Also: The Vulnerabilities of Traditional Identity Verification

If readers contain a secure-reading-and-exchange of data module, then card data is encrypted even after it leaves the POS.

Jeremy King, European regional director for the PCI Security Standards Council, says the PCI PTS standard encompasses unattended terminals, and security guidance for merchants is included in the standard. He also suggests retailers invest in emerging technology designed to thwart skimming attacks at self-service devices, like the ones compromised at Save Mart.

"There are anti-skimming devices now becoming available that can detect the presence of a skimming device, because a lot of the skimmers these days, they tend to transmit the data," even if they are installed inside terminals, hidden from view. [See An End to Pay-At-The-Pump Skimming?]

But other experts disagree.

Martin McKeay, a former PCI quality security assessor who now works on the security intelligence team at web-security provider Akamai, says PCI-DSS and PCI PTS do not address PIN pad security. "PTS might offer some protection against the attacks on Save Mart, but it is a companion compliance measure to PCI-DSS, not something that merchants are responsible for complying with," he says. "PTS covers the software and hardware of PIN pad devices and offers suggestions of how merchants should implement them, but the PCI-DSS has very little guidance or compliance guidelines that have to be followed and assessed at the merchant sites."

Transmissions from the PIN pad should be encrypted, and PTS requirements do support the encryption of data in motion. But as McKeay points out, the Save Mart breach appears to have resulted from a compromise of the PIN pads and card readers themselves, not the network. "If the PIN pad is compromised, no level of encryption at the network level is going to safeguard the credit card data," he says. "PTS would only offer limited defense against compromising the device directly."

Mike Urban, who oversees product management for Fiserv's Financial Crimes division, says PCI has prevented criminals from hacking into transaction environments. But fraudsters have gotten around this by capturing card data before it is secured at the terminal. "This is another reason for the U.S. to push forward on the migration to chip and PIN [or the Europay, MasterCard, Visa standard] technology," he says.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.