This subject is back in the news again after P.F. Chang reported a possible breach yesterday. So, I thought it might be helpful to explain how this can happen.
Almost all retailers in the U.S. process credit cards by reading the magnetic stripe on the back of the card. There are four basic areas of vulnerability in this process:
Happily, there are new technologies coming that will significantly reduce the potential for data breaches. Over the next few weeks, I'll provide more information on those technologies and also offer suggestions on how you can protect yourself in the meantime.
--Lynda
Almost all retailers in the U.S. process credit cards by reading the magnetic stripe on the back of the card. There are four basic areas of vulnerability in this process:
- The card reader itself. Bad guys have been known to attach "skimmers" to these devices which record the data as it is being swiped. Since this requires physical access to the device in order to attach the skimmer, it is less common in a traditional retail store than it is in ATMs and gas stations, where the readers are unattended.
- The pathway between the card reader and the point-of-sale software. Although with most POS software, it looks like the card numbers go directly into the POS program, they don't really. Rather, they get there through the operating system device handlers. Recent breaches have occurred because someone was able to insert software into this pathway to capture credit card data as it goes by. This software is typically called "malware," which is short for malicious software. The scary thing about malware is that you don't necessarily have to have access to a computer in order to install it. Once it gets to the computer, it can install itself. So,it often arrives as an attachment to an email or an internet download. It can also be copied to a computer from another local or remote computer, a USB stick or a CD.
- POS software. Most reputable software packages store credit card numbers in a securely encrypted format; if they store the card numbers at all. If your software is PA-DSS compliant, you don't have to worry about this area of vulnerability.
- The credit card processing gateway. This is the route that your POS software uses to send credit card data through the internet to your credit card processor to authorize each charge. Any reputable gateway product is going to securely encrypt card data for transmission. If the gateway product you use is PA-DSS compliant or Visa-approved, then you don't have to worry about this vulnerability.
Happily, there are new technologies coming that will significantly reduce the potential for data breaches. Over the next few weeks, I'll provide more information on those technologies and also offer suggestions on how you can protect yourself in the meantime.
--Lynda