Breach in Target Security Shows Possibility that PCI is not Properly Set Up for Merchants


After the Target credit card breach was first reported by Brian Krebs on December 18, 2013 on the KrebsonSecurity blog, he made sure to mention that the breach took place at the store’s physical locations, and did not involve its e-commerce site. Details about the security breach that were reported in the media stated that it found that the Target credit card breach rivaled the 2007 TJX Companies breach involving T.J. Maxx in 2007 where an estimated 100 million card numbers were stolen, and the Heartland Payment Systems Inc. breach in 2009. After the T.J. Maxx breach, PCI, Visa, and MasterCard became so alarmed, that they wrote the rules of PCI compliance and the meaning of PCI compliance. As a result, every retailer and other card processing entity became subject to far more strenuous rules in order to become PCI compliant.

After Target confirmed the breach on the day after the release of Krebs’ blog post, Visa Inc. and MasterCard Worldwide issued statements to The Green Sheet stating that they both offer zero liability protection against fraudulent purchases for their cardholders, while a payments industry told The Green Sheet that the issue of security weaknesses lie with the retailer, and are not that of the payment providers. They believe that this shows that the PCI Security Standards Council should focus on the retail sector, especially considering the recent breaches have occurred in physical merchant locations and not online. Merchants state that the breaches show that it is clear that “PCI and its program is not properly set up for the retail location. And what they really need to do is stop basically bullying companies like us.”

Speculation has risen that the Target card credit breach must have been an inside job. Versus other security breaches that occurred in 2013, such as those that occurred at Schnuck Markets Inc., Zaxby’s Franchising Inc., and other retailers, the Target breach occurred quickly over a two week period, whereas the other breaches happened over extended periods of time. Critics believe that this shows that   the attack was coordinated and in-depth, making the idea that it was an inside job feasible.

For more on High Risk Processing click below