It was revealed earlier this month that the St. Louis-based supermarket chain, Schnucks, had a data breach that exposed at least 2.4 million customer credit and debit card numbers to an outside hacker. Schnucks is currently involved in a class action lawsuit over the breach and possible leak of credit card info by its card processing company.
Currently the news reports that this breach occured because:
- Leaders in the company don’t think that anything is wrong with their data security. According to a survey by CORE Security only 15% of CEOs are very concerned about network vulnerability; however, 65% of security officers “admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.”
- The point of sale (POS) and retail management software that retail companies use to process their customer’s card information often use inadequate security tools and minimal security best practices.
Data breaches caused by faulty security in credit card processing machines and software are surprising to most people because we expect credit card processing companies to protect our card information and personal data. In fact, credit card processing companies are mandated by the Payment Card Industry Data Security Standards (PCI-DSS) council to use encryption and encryption key management in order to sell their point of sales (POS) devices and retail management software to businesses such as Schnucks.
Despite the regulations, however, many POS and retail management vendors pass PCI-DSS audits by the skin of their teeth with data security solutions that have been cobbled together with the bare minimum requirements. If asked if they still felt exposed with their current data security solution, many database administrators will respond with a resounding, “YES.” As we have seen over and over again, these piecemeal solutions are not good enough to prevent a data breach!
This has revealed a truth that is becoming more and more evident:
Just because a merchant or a POS vendor has passed a PCI-DSS audit does not necessarily mean they are protected from a data breach! Even though PCI-DSS is supposed to protect customers and prevent data breaches of this kind, loose interpretations by auditors of PCI-DSS and poor encryption and key management techniques leave businesses open and exposed to hackers.
Schnucks could have most likely prevented this data breach by having chosen a POS vendor and retail management software ISV who offered these guarantees:
- Encryption - Always use industry standard encryption such as AES encryption.
- Encryption key management - Companies encrypting data should always protect their encryption keys using an encryption key management hardware security module (HSM). This is a critical component to securing sensitive data.
- System logging - A good system logging solution can help you catch and prevent changes to your network in real-time in order to prevent a data breach.
- Certifications - Your POS and retail management software provider should have encryption and key management with NIST and FIPS certifications. These certifications ensure that your encryption and key management solution are up-to-date with the highest standards.
Unfortunately, these days passing a PCI-DSS audit is not enough. Merchants and retail software vendors need to stay ahead of the game by using data security tools that are going to protect their customers and protect themselves in the event of a data breach. The bare minimum will not cut it.
Townsend Security is a leading provider of encryption, key management, and system logging solutions. We partner with POS and retail management ISVs to help these companies protect and secure sensitive data fast, easily, and at a competative price. Here at Townsend Security our team works with our partners by providing hardware, training, marketing materials, and thorough back end support to help our partners and their customers achieve peace of mind.