Reading Time: 2 minutes

PCI Data Security

It’s time for a change.

The current credit card system has proven exceptionally vulnerable to breaches due, in part, to outdated technology. Retailers that suffer breaches, such as Target, are vulnerable to law suits from consumers who have their personal information stolen, but the retailer is merely the customer interface to a system that has many players and serious flaws.

The Target data breach is certainly stunning. More the data for 40 million credit cards was stolen during the first two weeks of the holiday shopping season. We do not know at this point exactly what happened in the Target data breach, but we do know where vulnerabilities exist in the system used by Target and other US retailers.

First, the card systems in the US use antiquated technology that has been upgraded in other parts of the world. Credit, debit and other types of cards in the US store card data on magnetic strips that are easily read and duplicated. In other countries, particularly Europe, cards store their information on embedded digital chips that produce unique codes when the card is used. This approach has been dramatically more difficult for hackers to breach.

Second, many companies are using Point of Sale Systems (POS) that are essentially Windows based personal computers. This is the number one target for hackers in general and has proven to be more vulnerable that other platforms such as Linux or Apple based systems.

Third, the PCI Data Security Standards (PCI DSS) compliance process is based on periodic snapshots. You can be in compliance at the time of the compliance review and out of compliance the next day. We need to move toward systems of continuous compliance monitoring.

Lastly, when a customer swipes a card the information travels through numerous entities. Usually this includes the store, two different banks and one or more middle men. A breach within anyone of these companies can compromise the whole system.

Card and card reader systems have not fundamentally changed over the past 30 years, while computer hackers have become dramatically more sophisticated. If there is any good news that comes out of the Target data breach it is that it should spur a movement to streamline and modernize the system.

The day after Thanksgiving has become known as “Black Friday” not for necessarily negative reasons, but because it is a critical day and time period that can determine if a retailer ends the year “in the black”. Profitability and survivability for many stores depend on a successful holiday shopping season. The scale and timing of the Target breach should be a warning to all retailers and participants in the card system that change is not an option. Their economic lives may depend on it.