In
November, Target was the victim of a record-breaking hack, in which
approximately 40 million credit card numbers were stolen. Malware had been installed in the security
and payments system of the large retailer, despite anti-malware tools within
the company’s system. Target, however,
is not entirely to blame for this breach of security, as the company had its
information system security in accordance with the cyber security standards of
the credit card industry.
In 2006,
“Visa, MasterCard, American Express, Discover, and JCB International created
the [Payment Card Industry] security council to ward off government oversight
of the retail payment systems” (Robertson 1).
The PCI council audits the retail payment systems in order to ensure
these systems are in accordance with the council’s standards. Logically speaking, if a retailer were to
pass a audit by this agency their systems should be secure, conversely,
accreditation of this council “doesn’t always offer much protection against
fraud” (Robertson 1). Target, for
example, had been granted accreditation merely two months prior to its
aforementioned hack, which raises a myriad of questions, such as: Is there
something wrong with the PCI’s standards?
Why is the PCI in existence if it evidently does not work? What steps, if any, are being taken to
strengthen the standards and audit process?
The storing
and protection of information has to be the number one concern for every
company in this day and age. There have
been many innovations, which aid in the storing of information, however, these
innovations have correspondingly led to greater exposure of stored data. Stronger security measures have been created,
but the retail industry within the United States has lagged. These greater security measures include
“authentication chips in cards, point-of-sale data encryption, and secondary ID
numbers that substitute for card numbers online” (Robertson 1).
The two most
effective means of improving security are point-of-sale data encryption and dynamic
authentication. Through point-of-sale
encryption, data is safer the moment it enters a retail system, allowing for
less exposure to hackers, however, there is “no equivalent for online
purchases” (Robertson 1). More and more
individuals are electing to shop online as opposed to entering a store. A consumer’s credit card information must be
encrypted upon its use online in order to protect the customer’s
information. Dynamic authentication is
the more effective solution, as the process makes storing the data useless, as
“the card can reset its magnetic-strip data with each purchase” (Robertson
1). The sole con of this method is that
transactions become slowed. Retailers
and consumers must accept this, and sacrifice speed for information security. This method will not only protect credit card
data, but eliminate the necessity of storing credit card information due to the
fact that it becomes “useless.” Both the
credit card companies and the retail stores must come together to ensure the
security of the retail systems, as the information exposed is much to
valuable. The aforementioned means of security,
point-of-sale data encryption and dynamic authentication, must become standards
of the PCI as it is the sole method of lessening the hacking of retail data that
has increased 15 percent since 2012.
No comments:
Post a Comment