September 21, 2011
Visa Expands Technology Innovation Program for U.S. Merchants to Adopt Dual Interface Terminals
Visa is announcing plans to accelerate the migration to contact chip and contactless EMV chip technology in the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of Near Field Communication (NFC)-based mobile payments by building the necessary infrastructure to accept and process chip transactions
Not only will chip technology accelerate mobile innovations, it is also expected to enhance payment security through the use of dynamic authentication. Chip technology greatly reduces a criminal’s ability to use stolen payment card data by introducing dynamic values for each transaction. Even if payment card data is compromised, a counterfeit card would be unusable at the point of sale (POS) without the presence of the card’s unique elements. By eliminating static authentication, we reduce the value of stolen cardholder data, benefiting all stakeholders.
Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer processors to support chip acceptance and the introduction of U.S. liability shift policies.
Specifically, Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will also require acquirer processors to ensure that their systems support dynamic data acceptance (i.e., chip) and will institute a domestic and cross-border counterfeit liability shift.
About the Visa Technology Innovation Program
Effective 1 October 2012, Visa will expand the Technology Innovation Program (TIP)1 to the U.S. TIP will
eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant’s Visa transactions originate from dual-interface EMV chipenabled terminals, in addition to meeting other qualification criteria.
To qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program.
Visa developed TIP to recognize and acknowledge merchants that have taken action to prevent counterfeit fraud by investing in EMV technology. The program is part of Visa’s overall effort to introduce more dynamic authentication data into the payment system and prepare for the use of emerging technologies that aid in the protection of the payment system by encouraging merchant investment in contact and contactless chip payment terminals.
Visa data security compliance programs help reduce the compromise of sensitive cardholder data. In the U.S., Visa required all Level 1 and Level 2 merchants to validate PCI DSS compliance by 30 September 2007. As of 31 March 2011, more than 96 percent of Level 1 and Level 2 merchants in the U.S. have validated their compliance with the PCI DSS.
These merchants have invested in ongoing annual PCI DSS compliance assessments, with many engaging a Qualified Security Assessor (QSA) year-over-year at significant expense. As interest in emerging technologies increases, many U.S. merchants are also considering investing in the future of payments by deploying dual-interface POS terminals. Dual-interface terminals have the ability to process transactions from various payment card products, including EMV chip contact cards, contactless cards, mobile devices and magnetic stripe cards.
Merchants qualifying for TIP can reap meaningful savings through the reduction of costs associated with annual PCI DSS validation, and will have the opportunity to re-invest those savings into additional payment technology infrastructure to support dynamic data processing.
1
Visa Inc. and Visa Europe introduced the TIP program for acquirers and merchants in non-U.S. geographies in February 2011. For more information on the previously announced TIP programs, see the 9 February 2011 Visa Bulletin “Visa Introduces Technology Innovation Program for Merchants” or contact Visa Inc. at [email protected] or Visa Europe at [email protected].
Minimum Merchant Qualification Standards
To qualify for the program and receive its benefits, U.S. merchants must meet all of the following criteria:
1. The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis.
2. The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.
3. At least 75 percent of the merchant’s total transaction count must originate from dual-interface (contact / contactless) enabled chip-reading device
2terminals.
4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance. Merchants that do not meet the program’s terminalization requirements, including merchants whose transaction volume is primarily from e-commerce and Mail Order / Telephone Order (MO/TO) acceptance channels, are still required to validate PCI DSS compliance annually in accordance with Visa compliance programs.
Visa will work directly with acquirers to confirm eligible merchants and verify acquirer reporting responsibilities.
Note: Participation in the program is contingent upon the acquirer’s submission of—and Visa’s approval of—a
program application for each qualifying merchant. Visa will work closely with acquirers on the continued monitoring of merchants’ PCI DSS compliance and dual-interface terminalization efforts.Visa reminds acquirers that a merchant must not request or use a Visa account number for any purpose other than as payment for goods and services, per the Visa International Operating Regulations.
2
Enabled chip-reading devices must have current, valid EMV approval and pass Visa Acquirer Device Validation Toolkit (ADVT) / Visa payWave Test Tool (VpTT) implementation requirements as applicable, must comply with the Visa Transaction Acceptance Device Requirements (TADR), and must be able to perform endto-end chip transactions.
Merchants Must Maintain PCI DSS Compliance
Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are required
to maintain ongoing PCI DSS compliance. Acquirers retain full responsibility for merchants’ PCI DSS compliance, as well as responsibility for any fees, fines or penalties that may be applicable in the event of a data breach. All participants in the payment system must continue to protect sensitive static card account information (including PINs) vigilantly and adhere to industry data security standards such as the PCI DSS, PCI PIN Security Requirements, and the Payment Application Data Security Standard (PA-DSS). Visa supports and encourages the use of payment technologies that eliminate card data, secure data in storage and transit, and devalue remaining information via dynamic authentication.
Visa reserves the right to require full PCI DSS validation of compromised entities. If risk conditions change dramatically in any market, Visa may re-evaluate the need for qualifying merchants to validate PCI DSS compliance.
Finally, and in accordance with PCI DSS, all merchants must establish and annually test an incident response plan that outlines the steps to take in the event of a suspected account data compromise. This plan must be consistent with the Visa What to Do If Compromised document.
Preparing for Payment Technology Evolution
Incenting U.S. migration to a POS infrastructure that will facilitate the acceptance of EMV chip contact, contactless and mobile transactions supports an increasing interest in these technologies by U.S. acquirers, merchants and issuers alike. As the U.S. payment infrastructure evolves from the static magnetic stripe to intelligent devices like EMV chip cards and NFC mobile phones, it is critical to ensure that cardholders continue to conduct secure and frictionless transactions across all channels.
Preparing for PCI D-Day
As the deadline for PCI DSS 2.0 compliance approaches, chains should make sure they understand the changes— and triple check that they meet the requirements.
Preparing for PCI D-Day : Convenience Store Decisions
By Erin Rigik, Associate Editor.
On Jan. 1, 2012 all convenience store retailers must comply with PCI DSS 2.0 standards. While some chains have been ready for more than a year, others are still struggling to get up to speed.
Allsup’s Convenience Stores, which has 320 c-stores in Texas and New Mexico is ready. It began rolling out Redbox from Reliant Security to all its stores in August, after beginning the planning process back in February.
“We have our own in-house-developed POS system, and it has been in service for a number of years, and therefore it uses some older technology, so complying with some of the PCI regulations was difficult with the legacy software,” said Gary Holmes, chief information officer for Allsup’s. “We found Reliant had a unique way of addressing PCI security—that being their Redbox network appliance. It isolates the cardholder data from exposure and monitors for unauthorized wireless in the area to make sure hackers aren’t trying to break into the data. So between Redbox and secure encryption, customers can be sure their data is well protected.”
PCI compliance is a priority to Allsup’s. “We’re committed to providing great customer service and part of that commitment is ensuring we use all due diligence to provide financial security to our customers and take that responsibility seriously, and that’s why we use a good secure network appliance to protect that data,” Holmes said.
While Redbox is set to take Allsup’s most of the way through PCI requirements, Holmes noted that the chain will also need to follow up with more employee-centric requirements, such as ensuring passwords and user IDs are continuously changed.
Customized Solutions
Stinker Stores is also gearing up for the Jan. 1 deadline. It rolled out Cybera’s Cybera ONE integrated security service at its 50 retail locations in Idaho earlier this year. Stinker Stores originally created an in-house PCI compliance solution, but eventually switched to Cybera’s fully-managed service due to the lower cost and the ability to take the management burden off of its IT staff.
Cybera provided the Boise, Idaho, chain with a customized design tailored to its application and compliance requirements. The chain’s solution includes: on-site security appliance; managed firewall service; managed intrusion detection services; rogue wireless detection and reporting services; hosted security information and event management with alerting; 12 month remote log storage; online solution management portal; and access to a 24/7 security operations center.
“If any c-store chain isn’t ready for PCI compliance now, they had better hurry. It’s a big project and there are many issues involved in PCI compliance, and if someone is just getting started now they’re going to have a very difficult time getting ready by the first of the year,” said Holmes. “Now that having been said, companies that used packaged software—if they use a POS system that is marketed by a major vendor of POS systems, the vendor has likely solved the software aspects of PCI compliance.”
Pending Changes
Standards for PCI compliance are updated every three years. The move from version 1.2.1 to 2.0 was announced last fall, and stores have had an entire year to update their security in time for Jan. 1, 2012.
“You can, in fact, still use the old version 1.2.1 until Dec. 31, as long as the new system is in place by Jan. 1. But our suggestion is to use the new version now,” said Bob Russo, general manager for the PCI Security Standards Council.
PCI DSS is the basic standard for PCI compliance that includes 12 requirements covering six specific goals from physical security to logical security.
“Recognize that the PCI DSS changes from version 1.2.1 to 2.0 are not monumental changes, however they should not be overlooked,” said Susan Matt, CEO of ThoughtKey, a consulting firm specializing in strategic advisory and review services for the payment industry. “The changes are simply clarifications and additional guidance on the existing standards.”
One major clarification had to do with the primary account number (PAN) on a credit card. “If you decide you’re going to store that account number, it must be rendered unreadable—you can encrypt it or use tokenization, but it must first be rendered unreadable,” said Russo.
But questions persisted: “If I store that PAN and I store the customer’s name, do I have to encrypt everything including their name?” The answer is no; only the PAN must be encrypted. “If I store the primary account number and I also store the expiration date, do I have to encrypt both?” Again, no, just encrypt the primary account number.
“Those are the kinds of clarifications we needed to make within version 2.0. Some people think the council itself makes up these standards, but this is done from feedback from all of our constituents—we have almost 700 companies from retailers to associations, banks and vendors—who are all part of the council and who give us feedback on how we need to update these standards,” Russo said.
Logging is another aspect that is updated in the 2.0 version. “We want to make sure that everything that happens is in a log somewhere because, generally, if a breach occurs when the forensics people come in to see what happened, they always find what went wrong in the log,” Russo said. To be compliant by Jan. 1, stores need to ensure they have logging turned on and have one centralized log as opposed to many logs.
Reviewing those logs on a regular basis has helped merchants identify and fix potential breaches immediately. “That can be the difference between millions of credit cards compromised because no one has looked at the log in two months, and only five cards because someone was monitoring the log and took action,” Russo said.
Prioritizing risk is another aspect that has been clarified in the new version. Risks are different for every merchant. Two retailers can have the same vulnerability but have it rate differently in terms of risk.
“It used to be an assessor would come in and say, ‘You have 10 vulnerabilities and they all have to be fixed immediately for you to be compliant.’ But maybe vulnerability No. 9 is very obscure based on my risk profile. I understand it needs to be fixed, but I don’t need to stop everything and fix it—I can determine which vulnerability needs to be immediately fixed and which can wait a week,” Russo said.
That said, organizations can’t arbitrarily classify a vulnerability as high, medium or low risk. “There needs to be a valid and documented methodology supporting the reasons,” Matt said. “I encourage organizations to work with their QSA on the best approach and/or research the methodologies if you self-assess.”
Standards on scoping are also updated in the new version. Stores must scope the network to determine where they are vulnerable and where they are processing card data. “If you’re not processing credit card data in this part of your network, you really don’t need to do that much with that part of your network,” Russo said. “So before starting down the path of becoming compliant you really need to scope out your network to make sure you’re not doing more work than you need to be doing.”
Matt advises retailers to read through the PCI DSS & PA DSS version 2.0 Summary of Changes Memo published by the PCI Security Standards Council and to engage a QSA to discuss the changes and the potential impact on their chain.
“I also recommend to all of my clients a review of the PCI DSS standards and the subcomponents annually. You would be amazed at how much you can continuously learn each time you read the document,” Matt said.
Matt also recommends double checking that all requirements have been implemented and then having that validated in writing with any companies you are trusting to support or host the payment environment.
Ready or Not
As she continues to support merchants through litigation following a data breach, Matt it is still surprised at how much of a gap still exists on PCI DSS across organizations of all sizes.
For larger organizations with a full-time IT staff, the transition from version 1.2.1 and 2.0 should be uneventful. “But for smaller organizations or those with fewer IT resources, the risk assessment requirements, scope reduction proof and virtual server reviews may prove more resource intensive so start ASAP,” Matt said. “I cannot emphasize enough the importance of taking PCI DSS seriously. Taking the smallest steps forward in achieving PCI DSS compliance can provide a significant amount of protection from a breach and the associated litigation liability.”
“The last thing you want is a breach,” agreed Russo. “Not because there are fines—that is the least of your worries. If it gets publicized that you’ve been breached, it can cause such damage to your reputation and the absolute worst thing that can happen is that your customers lose confidence in you.”
Dealing with Skimming
Skimming, where a thief places a device over the ATM or gas pump credit card slot in order to steal card data, continues to worry retailers.
Gas pump skimming in particular has been a favorite topic of news organizations in the midst of growing gas prices, but John Buzzard, client relations manager for the Fair Isaac Corp. (FICO), said incidents of gas pump skimming in 2011 so far are lower than last year. “We might finish up 2011 with a tame year for gas pump skimming and then experience a huge increase next year—no one can predict where the trends will fall. The best idea I have for convenience stores is to follow the two C’s: compliance and common sense,” he said.
Buzzard offers the following tips to prevent skimming at convenience stores:
• Install surveillance cameras with DVR storage capacity at all gas pumps, cash wraps and ATM locations. Cameras should be positioned to record actions and not payment card or PIN information, and footage should be held for a year.
• Some retailers are adding “seals” and asking consumers to report any broken seals that might indicate tampering.
• Reset and change system passwords on all POS software.
• Multi-location retailers should have district management randomly inspect gas pumps and POS devices for security. “This is not a job for store personnel to perform alone for a variety of reasons,” Buzzard noted.
• If a POS device has no connectivity, the incident should be immediately recorded.
• If you suspect POS or gas pump skimming, contact the closest U.S. Secret Service field office. “Every case is handled discreetly with the emphasis placed correctly on stopping the criminal in their tracks,” Buzzard noted.
• Retailers should invest in PCI-compliant POS devices, and should be truncating payment card numbers on receipts.
Preparing for PCI D-Day : Convenience Store Decisions
December 03, 2009
PCI Compliance - Liability issue and class action suit
Update on Radiant - suit is over the use of remote monitoring/access tool being misused. This is a case of a separate part of the solution impacting the complete equation. Link
December 02, 2009
PCI Compliance - Liability issue and class action suit
Radiant gets class action filed against it for claiming PCI compliance when it fact it was not.
Nov 23, 2009 – Secret Service Investigation and Class Action Lawsuit Cast Shadow Over Radiant Systems and Louisiana Distributor
Atlanta Company and Distributor Accused of Negligence in Widespread Identity Theft at Restaurants
ATLANTA, November 23, 2009 — Forensic audit investigations conducted by credit company-approved experts concluded that the Louisiana-based distributor for Radiant Systems, Inc. (http://www.radiantsystems.com/) products violated data protocols that directly contributed to security breaches at restaurants in Louisiana and Mississippi. This finding of alleged negligence is at the heart of a collective action lawsuit filed by seven restaurants claiming that hundreds of customers had their identities stolen as a result of poor business practices and faulty software from Radiant and Computer World (the distributor).
The restaurants are seeking millions of dollars in damages from Radiant and Computer World.
“Our clients are restaurants. They are food experts, not technologists. When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are PCI-DSS compliant, our clients trust them,” said Charles Hoff of the Law Offices of Charles Y. Hoff, PC, general counsel for the Georgia Restaurant Association and one of the attorneys acting as a legal advisor to the restaurants in the lawsuit.
Hoff continued: “When those claims of compliance and proper security practices turn out to be false, the restaurants are left to suffer huge financial losses due to financial penalties imposed by the credit card companies. Their reputations are tarnished. We’re determined not to let Radiant and Computer World simply walk away from their responsibilities.”
PCI-DSS is a comprehensive set of technological requirements and consumer protections created by the major credit card companies to safeguard point of sale (POS) systems from hackers and protect consumers from identify theft. POS system vendors must follow these standards, and any business accepting credit cards for payments (such as restaurants) are contractually obligated to use equipment and software from PCI-DSS compliant vendors. The penalties for retailers that have their systems breached can be massive, even if the problems are the fault of the hardware and software vendors.
A special investigation by the United States Secret Service (the agency responsible for investigating cases of credit card fraud and identity theft) was also conducted given the multitude of Radiant POS systems subject to security breaches throughout Louisiana and Mississippi and the findings by the forensic reports that Computer World – exclusive area distributor of Radiant Systems’ “Aloha” POS software - violated PCI-DSS provisions. Among the findings:
1) Restaurants were sold earlier model POS systems although they were represented to be new models;
2) Computer World used a remote access system that did not have adequate security patches – a violation of PCI-DSS standards;
3) Computer World used the same password for at least 200 operators in violation of PCI standards;
4) The distributor failed to remove prior sensitive customer credit data upon installation of Radiant POS systems, again in violation of PCI standards.
As a result, the lawsuit’s plaintiffs are alleging that:
• Radiant Systems’ negligence and failure to either instruct or monitor Computer World’s actions led to systems being compromised and leaving the plaintiffs’ customers vulnerable to identity theft and fraud.
• That Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant. (The restaurants were unaware of these warnings at the time they purchased the Aloha system.)
• Once the breaches occurred and cases of identity theft and fraud began to appear, Visa, MasterCard and the card processing companies invoked their contracts and directly penalized the restaurants for the actions of Radiant and Computer World. The plaintiffs were hit with huge fines, required to pay for forensic audits to trace the problems, reimbursement of fraud costs to the credit card companies and payments for re-issuance of credit cards to affected individuals.
The lawsuit is seeking compensation to repay the penalties levied by the credit card companies and the massive costs to track down and repair the POS system problems. According to the attorneys, damages “could run well into seven figures”.
The restaurants have filed their lawsuit in the 15th Judicial District Court of Louisiana in Lafayette Parish and “will be seeking to raise awareness of the chaos and financial turmoil caused by companies such as Computer World and Radiant. We want other restaurants nationally to be aware of the hidden dangers posed by these technology companies and the unfair penalties imposed by the credit card companies,” said Shiel Gallagher of Gallagher & Gupta, PC, in Chicago, the second attorney leading the lawsuit.
“These huge companies shouldn’t have the power to destroy these restaurants. It’s a classic David-versus-Goliath story and we’re going to do what we can to protect what these small business owners have struggled to build.”
August 26, 2009
PCI Best Practice Supplement for Merchants
New best practice document for merchants from PCI Security Council. Recommended. Available on gokiosk.net as pdf
August 19, 2009
TJX Hacker Charged With Heartland, Hannaford Breaches
Amazing story of Gonzalez and the hacks into TJMaxx, Hannaford, 7-Eleven, others. He cut his teeth on Dave & Busters, then worked for the Feds, then went back to hacking more corporations. This our government did for us? Two articles one from Wired and one WSJ. The Wired one by Zetter is great. Also reveals SQL-injection attack on web servers was route in...The Tiger Woods of Cyber Crimes. Content from Wired, WSJ and NewsHour.
Here is the Wired report
Source article
TJX Hacker Charged With Heartland, Hannaford Breaches
By Kim Zetter August 17, 2009 | 2:34 pm | Categories: Breaches
The constellation of hacks connected to the TJX hacker is growing.
Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.
According to the court document, the hackers allegedly stole more than 130 million credit and debit card numbers (.pdf) from Heartland and Hannaford combined. Prosecutors say they believe these breaches constitute the largest data-breach and identity-theft case ever prosecuted in the United States. They’re investigating other breaches and have not ruled out Gonzalez’s involvement in even more intrusions.
“We’re not seeing a huge array of hackers capable of doing this, but rather a more select group, [and that] demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann of the Justice Department’s New Jersey district office.
But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases. With regard to the Heartland-Hannaford cases, Gonzalez and the two unnamed Russian hackers have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud.
They each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater.
Attorneys for Gonzalez were not available for comment.
According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks, and receive the stolen numbers.
Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.
Liebermann declined to identify the two national retailers, or state the amount of data stolen from them, because he said they have not gone public with their breaches.
Once on the networks, the hackers installed back doors to provide them with continued access at later dates. According to authorities, the hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.
“The fact that they were able to evade antivirus software that was running on the environment by testing it and programming the malware to erase itself suggests a degree of sophistication,” said Assistant U.S. Attorney Seth Kosto of the New Jersey office. “If it were just a case of getting onto the network, the card data would probably not have been exfiltrated.”
Heartland disclosed last January that hackers had installed sniffing software on its network that allowed them to capture unencrypted credit card data as transactions were being authorized in its system.
The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well. The company has never disclosed the number of cards compromised, although the company’s website indicates that it processes about 100 million transactions a month for about 250,000 businesses.
According to Liebermann, Heartland accounts for the “vast majority” of the 130 million numbers mentioned in the New Jersey indictment.
Heartland reported in May that the breach had cost it $12. 6 million so far, which includes legal costs and fines from Visa and MasterCard, who say the company was not compliant with payment-card–industry rules.
Heartland’s CEO Robert Carr told Wired.com recently that the initial breach into the company’s network in December 2007 was confined to the company’s corporate network, which Carr said was separate from its card-processing network. But by May 2008, the hackers had jumped to the processing network. Carr wouldn’t say how they accomplished this.
Heartland caught the breach of the corporate network, but was unaware the hackers were sitting on its system for months conducting reconnaissance. Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered.
Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site, setting up a VPN for the carders to communicate, which was controlled out of the Secret Service’s New Jersey office.
That undercover operation, known as “Operation Firewall,” led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami where he allegedly resumed his life of crime under the nose of authorities who were in pursuit of “Segvec,” while being ignorant of the fact that he was their old informant.
Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Wired.com previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke.
Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies and is facing sentencing this month. The indictment doesn’t charge Watt with writing the malware used in the Heartland and Hannaford breaches.
Photo: Albert Gonzalez/Courtesy U.S. law enforcement
Here is the WSJ story
By SIOBHAN GORMAN
A 28-year-old American, believed by prosecutors to be one of the nation's cybercrime kingpins, was indicted Monday along with two Russian accomplices on charges that they carried out the largest hacking and identity-theft caper in U.S. history.
Federal prosecutors alleged the three masterminded a global scheme to steal data from more than 130 million credit and debit cards by hacking into the computer systems of five major companies, including Hannaford Bros. supermarkets, 7-Eleven and Heartland Payment Systems Inc., a credit-card processing company.
[Photo of albert gonzalez released to wired.com by secret service] U.S. Secret Service courtesy of wired.com
Photo of Albert Gonzalez released to wired.com by Secret Service
The indictment in federal district court in New Jersey marks the latest and largest in at least five years of crime that has brought its alleged orchestrator, Albert Gonzalez of Miami, in and out of federal grasp. Detained in 2003, Mr. Gonzalez was briefly an informant to the Secret Service before he allegedly returned to commit even bolder crimes.
Authorities have previously alleged that Mr. Gonzalez was the ringleader of a data breach that siphoned off more than 40 million credit-card numbers from TJX Cos. and others in recent years, costing the parent company of the TJ Maxx retail chain about $200 million.
Mr. Gonzalez is in federal custody in Brooklyn, N.Y., awaiting trial for alleged efforts to hack into the network of the national restaurant chain Dave & Buster's Inc. He also faces charges in Boston in the TJX matter.
The alleged thefts in Monday's indictment took place from October 2006 to May 2008.
Mr. Gonzalez is "a very important player in a sophisticated ring that has real results at the street level of bank, retail, debit- and credit-card fraud," said Seth Kosto, an assistant U.S. attorney in New Jersey who specializes in computer fraud.
More
* Text: DOJ Indictment | Statement
* Q&A: What Consumers Should Know
* Earlier: Card Data Breached, Firm Says
Journal Community
* Discuss: How secure is credit card information? Have you been a victim of identity theft?
The indictment, interviews and recent court documents in the cases pending against Mr. Gonzalez paint him as a rising star in the cyber underground. He launched what he called "operation get rich or die tryin," targeting Fortune 500 companies with his data-theft operations, according to a sentencing memo filed in federal district court in Massachusetts in the TJ Maxx matter. These documents say he threw himself a $75,000 birthday party and at one point lamented he had to count more than $340,000 by hand because his money counter had broken.
Such large sums, primarily in $20 bills allegedly stolen from ATMs, proved tough to manage, the sentencing memo says. He was considering investing in a club, but told one of his co-conspirators in the TJX heist that he would only be able to pull together $300,000 in a "legitimate appearing form" like a check, according to the documents.
Federal investigators say Mr. Gonzalez is a high-school graduate and self-taught programmer who cut his criminal teeth as a leader in the self-styled Shadowcrew, an online credit-card hacking ring. In 2004, 26 leaders of the 4,000-person ring were arrested and convicted. "He was one of the key leaders," said Scott Christie, a former U.S. prosecutor who worked on the case.
Mr. Gonzalez wasn't charged when he was arrested in 2003 because he agreed to become an informant for the Secret Service following his arrest, say Justice Department officials. In November 2004, the government permitted him to move from New Jersey to Florida. Much of the subsequent hacking took place there, according to court records. He was arrested in conjunction with the Dave & Buster's hacking scheme in May 2008 and has been in detention since.
Subsequent investigations into breaches at Heartland and others led investigators back to Mr. Gonzalez. They found that he and his co-conspirators in Russia, which the indictment does not name, staged their crime on a network of computers spanning New Jersey, California, Illinois, Latvia, the Netherlands and Ukraine that would infiltrate the computer networks of the victim companies.
In computer attacks lasting more than a year, the trio allegedly scooped up credit- and debit-card numbers and installed so-called back doors in the victims' computer networks to enable them to steal more data in the future, the indictment said. They also installed "sniffer" programs to capture card data and send it to the hackers.
The indictment didn't estimate the losses associated with the alleged activities, nor did it spell out how the alleged co-conspirators may have made money off the stolen numbers. Typically, hackers sell batches of credit-card data online -- the current asking price in online forums is $10 to more than $100 per account profile, depending on the account's limit.
The trio made extensive efforts to conceal their activities, registering the computers they used under false names and communicating online under a variety of screen names, the indictment alleges. Mr. Gonzalez often used the online alias "soupnazi," an apparent reference to a character in the sitcom "Seinfeld."
The three were charged with gaining unauthorized access to computers, computer fraud and conspiracy to commit wire fraud. Mr. Gonzalez faces up to 25 years in prison and $500,000 in fines. His lawyer did not return phone calls Monday.
"We're pleased that the authorities have aggressively pursued this case to be in a position to bring an indictment against the alleged perpetrators," said Michael Norton, a spokesman for Hannaford Bros. Heartland commended the government's sleuthing in the case; 7-Eleven declined to comment.
Wire fraud, conducted in cyberspace because wire transfers now use networks that connect to the Internet, has exploded in recent years. The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.
"The financial sector may be more secure than most, but it's hemorrhaging," said Tom Kellermann, a former cybersecurity official with the World Bank who is now a vice president with Core Security Technologies, a cybersecurity company. "For too long a time they have not paid enough respect to the sophistication and organization of the underground economy."
—Robert Tomsho, Joseph Pereira and Timothy W. Martin contributed to this article.
Write to Siobhan Gorman at [email protected]
Nice writeup on StorefrontBacktalk
link here
Interview on Newshour with Zetter of Wired and VISA
Record-setting Cyber Theft Stirs Questions on Security
The Justice Department indicted three men on Monday for stealing more than 130 million credit and debit card numbers by hacking into the computer systems of five major companies. Cyber-securiity experts discuss the case with Ray Suarez.
RAY SUAREZ: It's a case the Justice Department is calling the largest credit and debit card data breach in U.S. history. Twenty-eight-year-old Albert Gonzalez and two Russian co-conspirators are charged with stealing more than 130 million card numbers between October 2006 and May 2008.
The trio allegedly hacked around the firewalls of several companies' computer systems, including card payment processor Heartland Payment Systems, supermarket chain Hannaford Brothers, and convenience store chain 7-Eleven.
It's a record-setting breach, breaking the previous mark held, federal prosecutors say, by the same Albert Gonzalez. The Miami man was already in federal custody. He previously had been charged in identity theft cases involving the restaurant chain Dave & Buster's and the retailer T.J. Maxx.
With this latest cybersecurity breach, consumers are asking themselves, how safe is my financial information?
For some answers, we turn to Kim Zetter. She's been covering this story for Wired.com. And Rosetta Jones, she's vice president for corporate relations at Visa.
Kim Zetter, how does the government say Albert Gonzalez did what they're saying he did?
KIM ZETTER, Wired.com: Well, he worked with some co-conspirators who -- they chose their targets by looking at Fortune 500 company lists. And once they found their target, they did sort of reconnaissance to find out what kind of processing system they used for processing their credit and debit cards. Once they knew that, they were able to look at what kind of vulnerabilities might exist in the system.
In the case of Heartland and Hannaford and 7-Eleven, I think we know that they used a SQL injection attack on all of them. And a SQL injection attack is a pretty kind of standard attack that can be prevented if the server is configured correctly. And in these cases, it's showing up over and over again that many companies aren't configuring their servers correctly.
RAY SUAREZ: So they did the digital equivalent of casing these places before trying the attack?
KIM ZETTER: Yes, exactly. In some cases, they went onto the Web site of the company, and the Web sites gave them information that helped them infiltrate the companies. The Web sites can tell them what kind of processes they're using and that kind of thing.
And in the case of Heartland, you know, Heartland is a credit card, debit card processor, so it's sort of the middleman between retailers and banks. And so if you hit a processor like that, then you're getting millions of cards, as they did in this case.
RAY SUAREZ: Rosetta Jones, the program, according to the government, that these fellows were using burrowed into the systems and then started exporting the data they were finding there to places outside the United States, to some places inside the United States, but also to Latvia, Russia, the Netherlands. Why?
ROSETTA JONES, Visa: Your question was why they were exporting data?
RAY SUAREZ: Well, why to those places? Is it harder to investigate, harder to prosecute once you ship the data off to somewhere else in the world?
ROSETTA JONES: We think there's ample opportunity for the government to be involved to help international cooperation in catching the criminals. We think that is an important opportunity and a significant area where the government can be involved.
RAY SUAREZ: Have the two sides been learning from each other, the hackers and the institutions that are trying to fend off these attacks? Do they look for breaches and then exploit them and then your side tries to build new defenses?
ROSETTA JONES: Well, I think, as long as card data remains valuable, criminals are going to continue to seek that information. What we have to do as an industry is to work with financial institutions and with merchants to protect that card information. And we have to make sure that they're adhering to strict industry data security standards.
I think as an industry we also have to explore new ways to make that card data not valuable to criminals. And we're looking at things like the introduction of dynamic data into the transaction. We think that has a good opportunity to help prevent fraud.
Background of a hacker
RAY SUAREZ: Kim Zetter, Albert Gonzalez was already known to federal law enforcement before he was arrested, wasn't he?
KIM ZETTER: Before he was arrested this time? He's already in custody at this point, but, yes, he was known -- he's been known to authorities since at least 2003. He was arrested in 2003, and authorities discovered that he was the top administrator on a carding forum called ShadowCrew. It's basically an online community or was an online community where credit card thieves gathered and sold their goods.
And when they arrested him and found out that he was administrator, they flipped him to become an informant for them, and he worked out of the Secret Service New Jersey office from I think it was about late 2003, early 2004, until they brought down ShadowCrew in October 2004.
And he convinced the carders on that forum to use a special virtual private network for communicating, and that network was controlled by the Secret Service, so they were able to read all the communications that was going through there.
When the bust was over, he went back to his criminal ways, and he changed -- his online nick at that point was "Cumbajohnny," and he changed it to "Segvec," and he continued to commit crimes as "Segvec," and authorities were actually chasing this person named "Segvec" without knowing that he was the former informant for the Secret Service. And then he...
RAY SUAREZ: While he was working as an informant, was he learning things that he could then turn around and use against places like card processing services and retailers?
KIM ZETTER: He probably was. And of course, he was making connections during that point, as well, because also on ShadowCrew and other forums that were connected to it were, you know, Russian criminals from the Russian hackers. And those are, you know, pretty much the top ones in this field, are coming from Ukraine and Russia.
And in this case, on the indictment that came down yesterday, there are two unnamed Russian co-conspirators who helped him hack into the systems. So those connections were probably made at that period and thereafter, as well.
Fraud rates
RAY SUAREZ: Rosetta Jones, are there a lot of people who know how to do this? Would it be happening more often if this wasn't such highly technical work?
ROSETTA JONES: Well, I think what you have to keep in mind is that, although you might read about hundreds of millions of accounts being compromised, that we know from our investigations less than 5 percent of those accounts are ever used fraudulently.
So while criminals might be trying to seek this information, the industry, Visa, and financial institutions are able to reduce fraud through effective monitoring of fraudulent transactions in the system.
And the fraud rate within Visa is actually at historic lows. It's just 6 cents out of every $100 transacted, and that's about half of what it was 10 years ago.
So, yes, we have more work to do to protect card information, but we know as an industry we're doing a good job at keeping fraud at bay.
RAY SUAREZ: So there's less fraud today than during the old days of running a card through one of those pressing machines and having carbon copies?
ROSETTA JONES: Today, using credit and debit cards remain one of the safest way to pay, especially over cash and checks. It's just the reality. Zero liability today exists for cardholders, so if there is fraud on your account, that you do not have to pay for that fraud. That's a protection that exceeds cash and checks.
Protections for consumers
RAY SUAREZ: But if you're reading the news and you see that there's been this latest breach, what can you be doing in your own interest? What should you be doing to protect yourself and check that your identity isn't being stolen, that your information isn't being used fraudulently?
ROSETTA JONES: Well, I think, first and foremost, again, it's important to remind consumers that you have important protections with using credit and debit cards. Zero liability is one of them.
But, of course, consumers should always monitor their accounts. We encourage consumers to have online banking and check their accounts real time and check their statements for fraudulent activity, and if they notice anything suspicious, to call their financial institution right away.
RAY SUAREZ: Kim Zetter, what do you think about the position of the consumer? Are people more vulnerable than they realize? Or, as you just heard Ms. Jones suggest, really the problem is with the credit card companies and they're the ones bearing the cost?
KIM ZETTER: Yes, I mean, I should point out that consumers, at least in the case of credit cards, we know there's zero liability. What's happening to our debit is that debit cards are being taken, as well. And, of course, when a debit card is stolen and, in some cases, PIN numbers are being grabbed, as well, then, you know, it allows an attacker to basically drain your bank account.
And in some cases, we're finding that consumers, it's not so easy for them to get that money back. They have to prove that they didn't use the card in many cases, and it can take months. In some cases, people aren't getting it back if it's, for instance, a business account instead of a personal account.
But, you know, I want to point out that even if consumers have zero liability, retailers are the victims in this, as well as the banks, the card issuers who have to reissue, you know, millions of new cards to customers whose numbers have been breached.
And there are lawsuits because of this, you know, against Heartland, TJX. You know, when they have unsecured systems that are breached, the cost, you know, is passed down to the retailers for the fraudulent transactions and then also for the people who have to reissue the cards.
RAY SUAREZ: We'll have to end it there. Kim Zetter, Rosetta Jones, ladies, thank you both.
ROSETTA JONES: Thank you.
KIM ZETTER: Thank you.
August 12, 2009
PCI Security - End-to-End Tokenized Encryption
EPX now extends data protection to what I call the 'first inch" of a transaction, i.e., from the plastic to the browser/EPX hosted application. They do that by integrating an encrypting card reader with their BuyerWall solution so that it holds the decryption keys out of the merchant's custody and in a secure system. The PAN data is not decrypted until it is needed for submission directly to the authorization networks, and is never at the merchant anywhere in plain text. Text posted on gokiosk.net [kiosk industry group]
May 14, 2009
PCI DSS: Judge Dismisses Hannaford Lawsuits
U.S. District Court Judge D. Brock Hornby on Tuesday (May 12) became the latest jurist to rule in favor of data-breached retailers, telling Hannaford consumers that because they were compensated by their banks, they have no basis to sue civilly here.
U.S. District Court Judge D. Brock Hornby on Tuesday (May 12) became the latest jurist to rule in favor of data-breached retailers, telling Hannaford consumers that because they were compensated by their banks, they have no basis to sue civilly here.
“There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence.
The class-action-lawsuit-wannabe stems from last year’s data breach at the grocery chain, which exposed 4.2 million credit and debit cards and led to 1,800 reported cases of fraud. Similar to rulings from cases fellow data-breach retail victim TJX, Hornby said he couldn’t allow almost any of the defendants to continue with the case because the consumers hadn’t suffered out-of-pocket financial losses.
In an ironic sense, this all stems from the card brands’ zero liability programs. Those programs guarantee that consumers will have all fraud losses wiped clean. (The one defendant who can continue is a consumer whose fraud loss costs—for reasons unknown—were not covered by her bank.) It’s ironic because the programs to created to make consumers feel safer about their payment security. Today, that program is preventing consumers from successfully suing retailers that mishandle their data, which in turn makes it more difficult for retailers to justify spending more than the minimum on data security. Oh, what a tangled Web we weave when we batch download to receive. (Sorry.)
In his decision (full text copy available), Hornby rejected all but one of the claims brought by 21 plaintiffs against the Maine-based operator of more than 200 stores in New England, New York and Florida.
Hornby seemed to empathize with consumers who are increasingly anxious about criminals getting hold of their private financial data. “Recurrent reports about breaches of electronic data systems—of governmental agencies, the nation’s utility grid, merchants or other institutions—have generated increased apprehension, as consumers learn that the convenient card-based alternatives to cash turn out to have their own risks,” Hornby wrote. “This is not the first lawsuit over who bears the risk of electronic data theft, and it certainly will not be the last.”
However, the judge refused to offer an opinion as to whether the Maine Legislature or Congress needs to pass laws providing for increased consumer protection. “Such a decision involves complex arguments regarding the adequacy of current consumer protection, efficient risk allocation, the economics of doing business, and the efficacy of lawsuits as a way to resolve such issues,” Hornby wrote in his 39-page decision. “Nor do I determine whether the Maine Law Court should develop Maine common law to address these issues differently. I merely conclude that under current Maine law, consumers whose payment data are stolen can recover against the merchant only if the merchant’s negligence caused a direct loss to the consumer’s account.”
The plaintiffs argued they were owed money beyond the funds lost when Hannaford’s payment system was breached between Dec. 7, 2007 and March 10, 2008. Hackers stole private debit card and credit card information, “including debit card and credit card numbers, expiration dates, security codes, PIN numbers and other information,” and used the data to make about fraudulent charges on victims’ cards, according to the lawsuit. The plaintiffs sought money from Hannaford as compensation for emotional distress, lost rewards points, time spent dealing with the situation and other hassles.
But Hornby said there was no legal basis for those requests. “Maine law requires that there be a way to attach a monetary value to a claimed loss. These fail that requirement. The same is true for a consumer’s temporary lack of access to funds or credit, the annoyance of a canceled hotel reservation, and the embarrassment or annoyance of obtaining a family loan.”
April 22, 2009
Real Life - PCI DSS Firewalls
 Requirement 1 listed in PCI DSS is concerning firewalls. In real life with self-service kiosk terminals what is the practical effect of that. Here is an example. link |
May 28, 2008
Security Whitepapers - PCI DSS overview and ATM security
With recent incidents regarding retail systems data insecurity, here is nice overview/whitepapers on just those topics (albeit with Solidcore slant). PCI DSS standards are covered in the overview and then there is whitepaper from NCR on how they secure their Aptra systems.
Identity theft and credit card fraud is a large and growing problem. The Federal Trade Commission estimates that almost 10 million consumers were affected last year, at a cost of close to $50 billion. In order to combat this growing menace, Visa, MasterCard, American Express, Diners Club, Discover and other major credit card providers have joined together to introduce a compliance standard - the Payment Card Industry (PCI) Data Security Standard. The standard unites and supersedes the individual compliance standards such as Visa’s CISP and MasterCard’s SDP standards.
Fundamental PCI Requirements
1 Install and maintain a firewall configuration to protect data
2 Do not use vendor-supplied defaults for passwords and security parameters
3 Protect stored cardholder data
4 Encrypt transmission of cardholder data and sensitive information across public networks
5 Use and regularly update anti-virus software
6 Develop and maintain secure systems and applications
7 Restrict access to data by business “need to know”
8 Assign unique ID to each person with computer access
9 Restrict physical access to cardholder data
10 Track and monitor all access to network resources and cardholder data
11 Regularly test security systems and processes
12 Maintain a policy that addresses information security
PCI Compliance Transaction Thresholds & Levels
Credit card issuers divide its merchants into four levels based on the number of transactions processed every year, as shown in the table below.
Merchant Level No. of transactions
Level 1 > 6 million
Level 2 150,000 – 6 million
Level 3 20,000 – 150,000
Level 4 < 20,000
Each level is subject to a different set of compliance activities, with the strictest rules applied to level 1 merchants. In addition to transaction volume, any merchant that suffered a hack or an attack that resulted in account data compromise will automatically be required to meet level 1 compliance requirements. Further, the card issuer may, at their discretion, require any merchant in its network to meet level 1 requirements. In view of this, Solidcore’s recommended best practice is to follow level 1 requirements regardless of activity level. This white paper will focus on the compliance validation activities required of level 1 merchants.
For complete information download the whitepapers