Announced by Target on Thursday, anyone who swiped a credit or debit card at the retailer between Nov. 27 and Dec. 15 may have had their account data exposed. Not limited to just names and phone numbers, the data includes customer names, credit and debit card numbers, card expiration dates and the three-digit security codes found on the back of the card. The number of accounts impacted is said to be upward of 40 million, the second-largest credit card breach the US has ever seen.
Target’s Not Alone
This security breach is a headlining hot topic that’s sure to put a damper on many Black Friday shoppers’ holidays, but it isn’t the first or the worst.
Just last year, Barnes and Noble had a similar breach at 63 of it’s stores when “bugged” PIN pad devices extracted the credit card data and PIN numbers of its customers. And back in 2007, the parent company of T.J. Maxx and Marshalls, TJX, reported that nearly 100 million credit card numbers were stolen, the largest breach in history.
The PCI Standard and Council
Besides losing hundreds of millions of dollars to lawsuits, investigations, and increased security measures, do big retailers suffer any other consequences for exposing the identities and financial information of its customers? Yes, and it’s the reason why the Payment Card Industry Data Security Standard (PCI DSS) was created and the PCI Council was formed.
The PCI Security Standards Council, originally formed in 2006 by American Express, Visa, JCB, Discover and MasterCard, oversees and manages the ever-changing PCI DSS. Members from each payment brand act as the executives and management of the PCI SSC.
Wikipedia defines PCI DSS as “a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid,
Consequences for Non-Compliance
So, what are the consequences for companies like Target and Barnes & Noble who fail to protect cardholder info? Taken from the Focus on PCI website, retailers could face civil litigation (like this one) from breached customers, suspension of credit card acceptance by merchants, investigations by the Secret Service, and steep fines from both banks and credit card institutions. How steep?
Target could face a $90 fine for each cardholder’s data compromised, which translates to a $3.6 billion liability.
When there’s a breach of this scale, even 100% compliant and validated companies have to deal with big consequences. But W. Hord Tipton, managing director at (ISC)2, believes that “most of the time in these investigations, companies hit like this aren’t really in compliance.” If it’s found that Target isn’t in compliance, all they’re getting for Christmas is a year of lawsuits and fines.
Banks may fine Target for the research they have to perform to correct the non-compliance, and each individual credit card institution levy fines and propose a timeline of increasing fines based on their merchant level. On top of these fines, this press release states that “Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”
With the cost of that investigation, there’s a significant amount of money lost, not to mention the damage to their reputation.