It was revealed earlier this month that the St. Louis-based supermarket chain, Schnucks, had a data breach that exposed at least 2.4 million customer credit and debit card numbers to an outside hacker. Schnucks is currently involved in a class action lawsuit over the breach and possible leak of credit card info by its card processing company.
Currently the news reports that this breach occured because:
Data breaches caused by faulty security in credit card processing machines and software are surprising to most people because we expect credit card processing companies to protect our card information and personal data. In fact, credit card processing companies are mandated by the Payment Card Industry Data Security Standards (PCI-DSS) council to use encryption and encryption key management in order to sell their point of sales (POS) devices and retail management software to businesses such as Schnucks.
Despite the regulations, however, many POS and retail management vendors pass PCI-DSS audits by the skin of their teeth with data security solutions that have been cobbled together with the bare minimum requirements. If asked if they still felt exposed with their current data security solution, many database administrators will respond with a resounding, “YES.” As we have seen over and over again, these piecemeal solutions are not good enough to prevent a data breach!
This has revealed a truth that is becoming more and more evident:
Just because a merchant or a POS vendor has passed a PCI-DSS audit does not necessarily mean they are protected from a data breach! Even though PCI-DSS is supposed to protect customers and prevent data breaches of this kind, loose interpretations by auditors of PCI-DSS and poor encryption and key management techniques leave businesses open and exposed to hackers.
Schnucks could have most likely prevented this data breach by having chosen a POS vendor and retail management software ISV who offered these guarantees:
Unfortunately, these days passing a PCI-DSS audit is not enough. Merchants and retail software vendors need to stay ahead of the game by using data security tools that are going to protect their customers and protect themselves in the event of a data breach. The bare minimum will not cut it.
Townsend Security is a leading provider of encryption, key management, and system logging solutions. We partner with POS and retail management ISVs to help these companies protect and secure sensitive data fast, easily, and at a competative price. Here at Townsend Security our team works with our partners by providing hardware, training, marketing materials, and thorough back end support to help our partners and their customers achieve peace of mind.