Target Breach Raises New Challenges

Recent security breaches of systems at Target and other major retailers could lead to a wholesale rethinking of secure payment methods and the need for new payment processing software in the United States, says Jim Reno, a network security expert and distinguished engineer and CA Technologies.

The trick will be in implementing the new software without ruining the customer experience, and organizations will want to leverage DevOps practices and use Service Virtualization to ensure that this new software doesn’t stall the checkout process or introduce new problems for back-end software.

In the Target breach, a criminal organization infiltrated an HVAC contractor that was providing service to the retail giant. This allowed the bad guys access to the Target computer network, which they used to malware that secretly recorded credit card information that was processed during the busy holiday season.

The Breach and the Damage Done

And, there were quite a few: Perhaps 100 million cards were compromised from Nov. 27 to Dec. 15. The hackers recorded credit card numbers, user names, and the secret code stored on each credit card. They also obtained the PINs associated with the cards in an encrypted state.

No evidence has emerged that these PINs had been used to withdraw money. However, hackers have been busy cloning the credit card data, which has been used for fraudulent transactions throughout the United States.

In the wake of the Target breach, fourth-quarter profits were off nearly 50 percent. The company’s CIO has resigned. In addition, Target has begun overhauling its information and compliance division. It is also looking outside of company executives to fill two newly created roles for a chief compliance officer and chief information security officer.

Over the past 30 years, banks and credit processors have attempted to implement more secure technology for protecting credit transactions from fraud. All of these efforts have failed to gain widespread global adoption, owing to the costs of implementation and pushback from key players.

Reno said that these participants are always comparing the relative costs of fraud to the cost of implementing new technology. The massive scale of the recent breaches and potential for fraud could tip the balance in favor toward adopting new technology, such as highly-secure EMV chip cards used widely in Europe but not the United States.

Why New Payment Methods Haven’t Taken Off Here

EMV chip cards have faced a sort of chicken-and-egg problem here. Reno called it an “ignition problem.”

“If you want to do something new, you have to get to a critical mass in order to take off,” he said. In other words, if the consumer can’t use the new cards anywhere, they have no incentive to switch. Likewise merchants don’t want to invest in a new payment technology until enough people have signed up for it. Arguably, credit cards didn’t really take off for 20 or 30 years because of this phenomenon.

In a few niche areas, new payment processing mechanisms have taken off, owing to effective efforts to address both sides of the equation. For example, Diners Club worked with key restaurants and their customers to build up the critical mass for another credit card. PayPal reached out to the underserved market on eBay.

Major players in the banking and card processing industries have tried to introduce new technology for processing secure payments but to date have met only limited success for various reasons, Reno said:

  • Secure Electronic Transaction was designed to assured merchants got paid, but did not give the merchants details such as card numbers. The system was complex and difficult to manage, and was a huge failure even though the banks and processors put significant investments into it.
  • 3D Secure supported better security and was designed to be easier to implement. This saw some success, but holdouts like Amazon and others blocked widespread adoption. In Amazon’s case, 3D Secure interfered with the use of its one-click service and patent. This could also have made it more difficult to license one-click technology to others.
  • Near Field Communications uses RFID technology in a card or smart phone to allow contactless payment. However, the technology has not been implemented in the iPhone. Initial efforts to implement NFC also were stalled by requirements for a secure microprocessor and reluctance by payment processors to share the processing fees with the phone providers.
  • EMV, introduced in Europe in the mid-1990s, uses a secure microprocessor embedded in the card to enhance security and allow limited access when phone networks are not available. While the infrastructure for processing cards has taken off in Europe, it has not seen widespread global adoption. As a result, most credit terminals continue to support less-secure magnetic stripe technology as a fallback option. 

A Sea Change is Coming, and Service Virtualization Will Be Key

Reno believes that the scale of recent security breaches, and easy of cloning magnetic stripe cards, could play a major factor in driving adoption of EMV technology. “There are costs and tradeoffs associated with implementing new payment mechanisms like EMV. The Target breach could push us over the edge towards EMV adoption in the US,” he said.

When the change comes, it will mean extensive integration testing for the new software, a process that could be limited by the costs of processing transactions on live systems, not to mention the security issues around using live credit cards for tests.

Simulation testing like Service Virtualization will play a critical role, reducing costs and providing a safe environment as companies work to harden their defenses.