News

Security leak underlines debit concerns

April 9, 2006

This article appeared in the Retail Self-Service Executive Summary, Spring 2006.

Since early March, news of a debit-card security breach suspected of compromising more than a half-million U.S. Visa and MasterCard cardholders has spread across all media.

At this point, there's no way to know how much has been lost - the financial institutions are staying closed lipped, as are the suspected retailers - and there's no way to know how much deeper the compromise will dig.

Experts like Fair Isaacs' Mike Urban and Gartner Group's Avivah Litan say those compromises are just the tip of the iceberg.

"Criminals are moving from the credit market to the debit market, and there's a lot of it going on," said Urban, operations director of Fair Isaacs' CardAlert Fraud Manager transaction-monitoring program.

From 2001 to 2003, the number of compromised U.S. debit cards tracked by Fair Isaacs for its financial-institution clients doubled. By 2005, that number exceeded 60,000.

As more consumers migrate toward debit from credit and cash, the fraud concern grows.

PIN-pointing the problem

PIN-based debit transactions were at first thought immune from compromise. But accessing PIN information isn't as difficult as once thought.

In this recent compromise, most agree that fraudsters copied card data, CVV and CVC, from magnetic stripes at POS terminals. Criminals then hacked and stole PIN information wrongfully held by the retailer or retailers.

Litan also suggested that CVV and CVC data also may have been stored and hacked. She suspects PINs in this compromise were intercepted one of two ways.

"They were either stored and broken into or they were broken into on the wire (when transactions were processing)," she said. "In both cases, they had to get a hold of the encryption key. And they either got the master key at the server through a hack or an inside job. That has to be what happened, because of the sheer amount of numbers they got."

Visa USA Inc. vice president of corporate risk and compliance Eduardo Perez said Visa is continuing to educate all of its processors, merchants and banks about the need to validate everything.

"Visa-member acquirers are responsible for ensuring that our merchants comply with our high standards," Perez said. "And we take a number of issues to make sure that our membership meets PCI (Payment Card Industry) compliance appropriately."

Visa compliance specialist Jennifer Fischer points to PCI compliance as the backbone of Visa's security initiative. But she said focusing on standards requires an understanding of the system, and some retailers don't understand the system.

For instance, even though PCI prohibits the storage of magstripe and PIN data, some retailers and processors have been busted with the information.

"Don't store it if you don't need it," Perez said. "You are restricted from holding CVV and CVV2, and what we've been finding is that some of these merchants don't realize that they're storing this data."