If anyone knows exactly how hackers managed to steal the data of more than 110 million Target and Neiman Marcus customers, they’re not talking yet. Until there’s a thorough case study published, a vague story about a contractor and an email phishing scam will have to suffice for an explanation. For stewards of IT security in government, the breach was a wake-up call and a portent.
Michigan Chief Security Officer Dan Lohrmann said that news of the breach raised a few eyebrows in his organization, and officials immediately began investigating whether their own point of sale systems were at risk or might possibly be compromised in the same way. Neither the U.S. Secret Service nor other government investigators were forthcoming with the information Michigan security officials wanted, Lohrmann said, adding that he doesn’t blame them.
Despite the lack of information, however, governments can still learn from the private-sector breach.
After asking around and doing their due diligence, Michigan officials determined they were relatively safe, Lohrmann said, adding that they have a very robust PCI compliance program.
“I think that’s one lesson learned: If you’re not PCI compliant, either statewide or in your agency or local government, that’s something that’s got to be done. That lays out the standards for encryption and patching, and anti-virus protection,” he said. “Now, that may not be enough, but that’s at least a starting point.”
Being PCI compliant is like wearing a seatbelt, having airbags and obeying all traffic laws – it tips the odds in the driver’s favor, but it doesn’t guarantee there won’t be an accident. After all, Target is believed by many analysts to have been PCI compliant when the intrusion occurred, although that’s another area gray area.
Various politicians, such as Former Secretary of Homeland Security Janet Napolitano, have warned that a big cyberattack on the U.S. infrastructure is inevitable, and that such an attack would be capable of any number of catastrophic outcomes. The Target breach wasn’t a 9/11-scale attack, of course, but the event was still big enough to get the public’s attention about the issue of data security and cybersecurity. And at least one big change in this area is on the horizon.
By October 2015, U.S. retailers are required to upgrade point of sale devices to accept integrated circuit cards using the Europay, MasterCard and Visa (EMV) standard. (EMV is a global standard for authenticating credit and debit card transactions.)
Like this story? If so, subscribe to Government Technology's daily newsletter.
The move will eliminate the need to sign for a purchase, instead relying on a credit card’s internal chip and an associated PIN. Target is on board with the change, and has reportedly already spent $100 million to push forward the upgrade so their stores will be ready six months ahead of the deadline. Many other retailers are also looking to be ready for the upgrade ahead of deadline, and some financial institutions are now rolling out the new cards.
The shift in technology will bring the U.S. up to date with every other major market in the world already using the cards. It also indicates a major change in the IT security dynamic, as some reports put credit card data as representing about 80 percent of all stolen data. EMV cards, however, thwart many traditional data stealing methods.
The change will also mean a big upgrade for governments that have point of sale devices.
“I think a lot of state governments need to make sure they’re ready, because in October 2015, the liability shifts to the merchant if you don’t have those in place. It’s a big deal,” Lohrmann said. “I’ve heard estimates of $200 to $300 per point of sale device.”
Governments should look ahead and start planning for this upgrade now, he added.
“Remember Target” is now the rallying cry of many security professionals speaking and gathering around the country these days, Lohrmann said, adding that even though the event was unfortunate, that's sometimes what it takes to grab everyone’s attention.
“It raises the temperature two degrees on board levels in governor’s offices,” he said. “I think people are continuing to take this more seriously, and it’s reaching a point where it’s a top-tier issue.”
The problem is that it takes real catastrophe to get real results, it seems. “I was in Target last weekend and a lot of people were buying things with credit cards,” Lohrmann said. “The key, I think, is when it starts hitting people and they become impacted personally.”
For individuals, there’s almost zero liability when it comes to credit cards, so the banks and the stores are the main victims of such data breaches.
The change to EMV cards will put more of the burden on retailers, because the banks are tired of paying for the mistakes of businesses, Lohrmann said. “That’s going to change practices,” he explained. “Now it’s no longer, ‘OK, I got a letter saying I’m bad,’ – the state’s going to be charged hundreds of thousands in fines, you’re going to lose the ability to use credit cards – now we’re getting serious.”
The chips in EMV cards encode the information being transferred differently with each transaction, so had Target been using such cards in the previous breach, the data thieves would have found themselves with essentially the equivalent of expired passwords.
This move to EMV, Lohrmann wrote in his weekly Cybersecurity and Infrastructure blog, will impact Secretary of State offices, which are also called the Motor Vehicle Administrations in many states.
"In addition, state and county parks and many other federal, state and local government agencies and services accept credit cards," he wrote. "Bottom line, if your government or business accepts credit cards using POS devices and doesn’t have plans to move to the EMV standard compliance, you need to act now. Budgets and project plans need immediate attention."