April 01, 2012, 8:39 PM — The latest data security breach to strike MasterCard and VISA has security experts focusing anew on the good and bad of PCI DSS. On one hand, the standard offers a clear blueprint on how to handle such a breach. On the other hand, compliance is usually not the cure, as this latest incident demonstrates.
"While the scope and details of the attack are not yet known, it shows three years after the Heartland Payment Systems breach of 130 million credit card numbers that credit card data is still vulnerable," said Neil Roiter, research director at Corero Network Security. "The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack."
As many as 10 million users of VISA and MasterCard may have had their card numbers compromised in what sources in the financial sector are calling a "massive" breach of a U.S.-based credit card processor.
The news was first reported this morning by Brian Krebs in his KrebsonSecurity blog.
Ted Julian, chief marketing officer of Co3 Systems, a data loss management firm, estimates the potential liability for a merchant with 1 million cards compromised could top $1.6 million from compliance fines alone.
Krebs said the two credit card firms issued non-public alerts last week to banks about specific cards that may have been compromised in a breach of the so-far unnamed processor between Jan. 21 and Feb. 25 of this year.
"Affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase," Krebs wrote. "Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."
In an interview this morning, Krebs said the fraudulent card use, "seemed to be tied to gang activity in New York City, but I haven't heard that from more than one source."
In the grand scheme of credit card breaches, this one does not come close to topping the list -- the Heartland Payment Systems breach in late 2008 involved more than 130 million credit and debit cards and about 175,000 merchants.