PCI Compliance and the cost of a credit card breach

TJX is now the poster child for credit card data breaches. Starting in July 2005, hackers spent 18 months exploiting weak wireless network security outside of thousands of TJX owned stores and downloaded nearly 100 million credit card numbers. TJX recently estimated that the breach will cost them $118 million. Others, such as Forrester, estimate it will cost them $1.35 billion when including legal fees, call center costs, regulatory fines, etc.

While TJX has received all the recent attention, breaches are occurring more often than many realize. The exact number is unknown because only 31 states currently have laws requiring disclosure. One thing is for sure, if a business gets breached, they’re going to pay for it - and it will be expensive. A Forrester report determines the cost per breached record will be anywhere from $90 to $305.

The profitable world of stealing credit card data
The spike in this type of criminal activity is attributable to the lucrative business of selling stolen credit card information. Depending on the quality, the selling price of a single record can easily be $100.

Criminals are using a host of tactics to steal credit card data. One of the most common methods is remote access to servers, which house the data, like in the case of TJX. WEP 104-bit encryption can be cracked in under a minute on an 802.11g network by using active ARP-relay packet-injection techniques.

Another very common approach is “Skimming”, a practice where employees attach an electronic reader to the point of sale machine and steals cardholder information including name, credit card number, and the CVV2 code (three or four digit number on the front or back of the card). Employees have also been known to write down this information.

In ecommerce environments, cyber criminals are using SQL Injection, Cross Site Scripting (XSS), and Buffer Overflow attacks.

PCI Compliance overview
The driving force behind the effort to secure all credit card data is the PCI Security Standards Council, which was founded by Visa, MasterCard, American Express, Discover and JCB. They have mandated that businesses meet 12 security requirements in order to protect card holder data.

To provide proper incentives, the Card Associations have offered both carrots and sticks. As a carrot, merchants are offered protection from PCI related fines, which can be as high as $500,000 per incident, if they are compliant at the time of the breach - something called Safe Harbor. As a stick, merchants can face the above mentioned fines when breached as well as be fines for non-compliance. Some card brands have threatened to levy fines against larger merchants, up to $25,000 per month, until they obtain compliance.

To start the process of becoming compliant, a company should consider engaging a Qualified Security Assessor (QSA) who can advise regarding remediation and are approved to complete the official assessments for the Card Associations. There are fewer than 100 companies that offer these services. A few examples include Accuvant, Security Metrics, and Trustwave. The process of becoming compliant may take anywhere from 1 month to 18 months, depending on the business size and current IT and security infrastructure.

The cost and process of becoming PCI Compliant
Becoming compliant can be a time consuming, costly, and a considerably complex effort. Gartner recently estimated that the nation’s largest merchants will spend $568,000 on average during 2007 to meet the mandated requirements.

Taking matters into your own hands
A few things that can be done right away is making sure prohibited information is being purged after authorization. That information includes full track data (on the magnetic strip), CVV2 codes (three and four digit codes) and PIN data.

If businesses need to store name, credit card number and expiration date, then it needs to be secured either internally or stored remotely. Credit card tokenization, a remote storage technology, allows for a unique customer ID to be created for each record and is then used to remotely initiate transactions or change customer files without ever handling any sensitive credit card data.

Other simple ways to better protect from breaches include tightening remote access controls, change wireless network security from WEP to WPA, properly configure firewalls, change vendor default passwords, and use encryption to transmit all sensitive data.

In summary
Regardless of a businesses current situation, the cost of a breach can be enormous. TJX, a $17 billion dollar retailer will be able to weather the storm, but a smaller organization may not have the same financial depth which means the consequences may be much more severe. So whether or not the required resources are available to pursue PCI Compliance and proper data storage, it might not be a bad idea to make it a priority in your organization.

Other related posts:
PCI DSS Compliance basics for credit card security

Braintree solutions:
The Smart Approach for PCI DSS Compliance