Readers Respond to MAPCO Attack
Concerns About Retail Malware, PCI Inadequacy MountExecutives at banking institutions and other organizations haven't been shy about sharing their frustration over the growing number of retail breaches we've seen in recent months.
See Also: When Every Identity is at Risk, Where Do You Begin?
And last week was just another example. In response to the malware attack against the MAPCO Express convenience store chain, readers took advantage of our comments feature to point out shortcomings they see in retail point-of-sale and network security.
MAPCO in early May announced it had discovered evidence of a malicious attack that likely affected the 377 stores that connect to its corporate network. Debit and credit data associated with transactions conducted between March 14 and April 21 was likely exposed, the company said. MAPCO customers were advised to contact their banks and credit unions to alert them of the potential for fraudulent transactions related to the breach.
What readers said about the breach echoes what industry experts have been saying for several months - compliance with the Payment Card Industry Data Security Standard does not equal security.
"In the U.S., PCI compliance is not enforced like you would like to think (especially since the PCI-DSS has its roots in the country)," one guest writes. "Cards are widely accepted till $21 without the need of PIN or signature."
Another comment, posted by Chris Snelling, states: "As you might be aware, many companies seeking to become PCI compliant only believe that as long as their network environment is 'secured,' they believe that they are compliant and are unwilling to move forward with a logging solution that is responsive to the constantly evolving threats from hackers. They believe that if the firewall is secure and the PCs have a logging capability, then that is good enough."
The problem, this reader points out, is that most breached entities are not sufficiently monitoring network access and event logs. In order to be truly PCI compliant, this type of monitoring is a necessity, but most merchants fail to address the monitoring piece of PCI, he contends.
"Too many companies believe that it is cost-prohibitive to fully engage the PCI process," this reader writes. "Risk management 101. Cost/Benefit? Where are the hard numbers to show true cost of a breach? It is going to take Visa, MasterCard and others to 'force' [this] into the everyday mindset of the old corporate mentality."
Retail Breach Woes
Preliminary results from our 2013 Faces of Fraud Survey show that merchant breaches are a growing sore point for card issuers. Banks and credit unions that responded to our survey note that merchant breaches, often linked to malware attacks, and card-not-present compromises were most often to blame for card-related fraud losses they suffered in the last year.
I don't find these comments and survey results surprising. The bankers I talk with are increasingly frustrated with the PCI compliance process and the fact that merchants have no incentive to enhance security.
But I'd like to know what you think. You can respond by posting a comment below.