« Cross-domain integration: the new look of engineering | Main | Is Embedded Android Ready for Prime Time? »

12/19/2013

Target’s Data Breach: A Wake Up Call For Retail POS Systems Vendors and Customers

By now, everyone has seen the news that Target Stores suffered a massive credit and debit card data breach, as acknowledged by the retailer. The company says that more than 40 million card accounts may have been affected through card swipes at its brick-and-mortar stores between November 27 and December 15. [Target later revised the number of affected customers upward to 110 million.]

In a letter posted today to its customers, Target says that, “information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).” Target hasn't stated whether the CVV data is CVV1 (which is stored on the magnetic stripe) or CVV2 (which is printed on the physical card). Some have speculated that the data (with CVV1) may have been intercepted in transit between the card swipe readers and the point-of-sale (POS) terminals, at which point it may not have been encrypted.

In VDC’s opinion, it is far too early to conduct a post-mortem on what went wrong and who’s to blame. It is not too early, however, to raise the alarm about the possibility of future breaches of this type. VDC estimates that worldwide POS device shipments in 2012 totaled 1.9 million units of terminals/workstations and 11.6 million units of transaction card readers (including magnetic stripe and contactless chip-and-pin). With a market that size, the retailer with the bull’s-eye logo surely won’t be the last target of POS hackers.

In addition, millions more small sled type card readers are being sold for direct attachment to mobile phones and tablets, which presents another security risk. The mobile devices to which those card readers attach have even less controlled security than dedicated POS terminals.

This Target breach will spark an immediate wave of retailers and POS systems vendors reevaluating their security protocols on every level. In the short term, this event likely will stall some of the business deals in process for the retail embedded systems vendors, while customers and vendors pay extra attention to credit card security, such as compliance with the PCI Data Security Standards, before proceeding further. In the long term, it will make clear the need for more end-to-end security in retail systems, and ultimately boost the business for many vendors in the embedded security ecosystem. Vendors will raise the profile of credit card security in their product offerings and their marketing. And retailers will increase their engagement with independent security consultants and/or vendor security services to protect their consumers’ data from compromise.

By Steve Hoffenberg, Director M2M Embedded Software & Tools, with Richa Gupta, Senior Analyst AutoID & Data Capture

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a0115714871cc970c019b034dd4ed970d

Listed below are links to weblogs that reference Target’s Data Breach: A Wake Up Call For Retail POS Systems Vendors and Customers:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.