Gone in 60 Seconds

Less than 60 seconds—that’s how long it took me to discover I could be a criminal. All I needed was a little plastic card. Locked out of my house on a blustery morning, I borrowed a neighbor’s expired credit card and approached the task of breaking into my home with great skepticism. I had no clue what to do after inserting the card between the door and its frame. Surprisingly, I barely moved the card and learned that tripping a lock was even easier than it appears in the movies.

As quick and easy as it was to open a locked door with a credit card, it was nothing compared to how easy it has become for criminally astute minds to steal credit-card data. The recent security breach at TJX Cos. sent another warning of payment systems’ vulnerability. Retailers face a myriad of immediate risks—some of which may not even be on your radar screen.

Bob Carr, chairman and CEO of Heartland Payment Systems, Princeton, N.J., cautioned that retailers are likely oblivious to what he considers the single- greatest security risk: the storage of data contained on track two of credit cards, including the individual cardholder’s name, account number and CVV (card verification value) security codes.

“Although storing track-two data is prohibited by Visa and MasterCard, many software developers, either knowingly or unknowingly, broke the rules for storing data,” he explained. “If a fraudster hacks into the system and accesses that track-two data, they have enough information to create a ‘white plastic’ card that will act exactly like the actual credit card. With a credit-card number, a fraudster can make purchases on the Internet; with a white card, they can walk into any store and make purchases.”

For the most part, retailers probably do not know whether their systems store track-two data, and particularly in the 1980s and ’90s (when many of the systems currently in place were written) it was not unusual for software developers to want to save all the data that was captured. At that time, confidence in the security of systems was running high, and professionally developed firewalls were thought to be virtually impenetrable.

Carr offered two recommendations for retailers. First, confirm that the software being used meets Visa’s Cardholder Information Security Program (CISP-certified) and MasterCard’s Data Security Standards (DSS-certified). Second, obtain a letter from the software developer stating that the rules have not been violated and track-two data is not being stored.

Additionally, retailers relying on payment processors should confirm that their partners are managing credit-card transactions with the greatest levels of security. One option is to request that all data comply with Data Encryption Standards (DES) before they are stored. The encryption process scrambles numbers prior to storage, and a secure code is required to restore the authenticity of data. The cost of encryption is modest when compared to the potential risk of compromised data. Heartland Payment Systems, which processes 1 billion credit-card transactions annually, added sufficient encryption abilities, with a $150,000 investment in hardware.