By now, everyone has seen the news that Target Stores suffered a massive credit and debit card data breach, as acknowledged by the retailer. The company says that more than 40 million card accounts may have been affected through card swipes at its brick-and-mortar stores between November 27 and December 15. [Target later revised the number of affected customers upward to 110 million.]
In a letter posted today to its customers, Target says that, “information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).” Target hasn't stated whether the CVV data is CVV1 (which is stored on the magnetic stripe) or CVV2 (which is printed on the physical card). Some have speculated that the data (with CVV1) may have been intercepted in transit between the card swipe readers and the point-of-sale (POS) terminals, at which point it may not have been encrypted.
In VDC’s opinion, it is far too early to conduct a post-mortem on what went wrong and who’s to blame. It is not too early, however, to raise the alarm about the possibility of future breaches of this type. VDC estimates that worldwide POS device shipments in 2012 totaled 1.9 million units of terminals/workstations and 11.6 million units of transaction card readers (including magnetic stripe and contactless chip-and-pin). With a market that size, the retailer with the bull’s-eye logo surely won’t be the last target of POS hackers.
In addition, millions more small sled type card readers are being sold for direct attachment to mobile phones and tablets, which presents another security risk. The mobile devices to which those card readers attach have even less controlled security than dedicated POS terminals.
This Target breach will spark an immediate wave of retailers and POS systems vendors reevaluating their security protocols on every level. In the short term, this event likely will stall some of the business deals in process for the retail embedded systems vendors, while customers and vendors pay extra attention to credit card security, such as compliance with the PCI Data Security Standards, before proceeding further. In the long term, it will make clear the need for more end-to-end security in retail systems, and ultimately boost the business for many vendors in the embedded security ecosystem. Vendors will raise the profile of credit card security in their product offerings and their marketing. And retailers will increase their engagement with independent security consultants and/or vendor security services to protect their consumers’ data from compromise.
By Steve Hoffenberg, Director M2M Embedded Software & Tools, with Richa Gupta, Senior Analyst AutoID & Data Capture