The Fraud Blog with Tracy Kitten

Readers Respond to MAPCO Attack

Concerns About Retail Malware, PCI Inadequacy Mount

Executives at banking institutions and other organizations haven't been shy about sharing their frustration over the growing number of retail breaches we've seen in recent months.

See Also: Webinar | Key Trends in Payments Intelligence - Machine Learning for Fraud Prevention

And last week was just another example. In response to the malware attack against the MAPCO Express convenience store chain, readers took advantage of our comments feature to point out shortcomings they see in retail point-of-sale and network security.

What readers said about the breach echoes what industry experts have been saying for several months - compliance with the Payment Card Industry Data Security Standard does not equal security. 

MAPCO in early May announced it had discovered evidence of a malicious attack that likely affected the 377 stores that connect to its corporate network. Debit and credit data associated with transactions conducted between March 14 and April 21 was likely exposed, the company said. MAPCO customers were advised to contact their banks and credit unions to alert them of the potential for fraudulent transactions related to the breach.

What readers said about the breach echoes what industry experts have been saying for several months - compliance with the Payment Card Industry Data Security Standard does not equal security.

"In the U.S., PCI compliance is not enforced like you would like to think (especially since the PCI-DSS has its roots in the country)," one guest writes. "Cards are widely accepted till $21 without the need of PIN or signature."

Another comment, posted by Chris Snelling, states: "As you might be aware, many companies seeking to become PCI compliant only believe that as long as their network environment is 'secured,' they believe that they are compliant and are unwilling to move forward with a logging solution that is responsive to the constantly evolving threats from hackers. They believe that if the firewall is secure and the PCs have a logging capability, then that is good enough."

The problem, this reader points out, is that most breached entities are not sufficiently monitoring network access and event logs. In order to be truly PCI compliant, this type of monitoring is a necessity, but most merchants fail to address the monitoring piece of PCI, he contends.

"Too many companies believe that it is cost-prohibitive to fully engage the PCI process," this reader writes. "Risk management 101. Cost/Benefit? Where are the hard numbers to show true cost of a breach? It is going to take Visa, MasterCard and others to 'force' [this] into the everyday mindset of the old corporate mentality."

Retail Breach Woes

Preliminary results from our 2013 Faces of Fraud Survey show that merchant breaches are a growing sore point for card issuers. Banks and credit unions that responded to our survey note that merchant breaches, often linked to malware attacks, and card-not-present compromises were most often to blame for card-related fraud losses they suffered in the last year.

I don't find these comments and survey results surprising. The bankers I talk with are increasingly frustrated with the PCI compliance process and the fact that merchants have no incentive to enhance security.

But I'd like to know what you think. You can respond by posting a comment below.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.