Monday, March 25, 2013

PCI-Compliant Supermarket Chain Breached

An example of what I claimed in my previous article about PCI compliance:

"Compliance is not insurance"

Being PCI/HIPAA/HITECH/Whatever compliant will never guarantee you will not get hacked. It will just tell  that at one point in time, your infrastructure/process/people conformed to a checklist. Nothing more.

Back in the days, when the bad guys wanted to go after a supermarket's money, he had to get a weapon or something that looked like a weapon, go to the supermarket, rob the money and flee. Nowadays, he just have to put his hands on the credit card numbers, the CVV2. And cha-ching!

And the differences don't stop there.

In the old days, the supermarket was affected by the loss: if the robber put his hands on the money, it was the money left by customers in payment of the goods. Not an access to the customers' bank accounts as it is the case nowadays, so this shifted the "hit" from the supermarket to the clients.

The amount was limited by how many customers were there, how often the money was collected and/or transferred to a safe and so forth. With the current system, if the bad guy steals a thousand credit cards, he could have the ability to get more than half a million US dollars, provided he withdraws $500 per account. He withdraws ONLY $500 per account.

Way easier and more convenient than risking being shot or maimed by an angry salesperson. Or being caught by the police.