The Target Breach and the PCI DSS

Over the last couple of months there’s been an interesting story developing about one of the largest thefts of payment card details in recent years. It has raised questions over the PCI DSS and solutions to protect payment transactions.

The story in question is that of the breach of Target, a large USA retailer, and it has been developing since Dec, 2013. It’s raised questions about the Payment Card Industry Data Security Standard (PCI DSS) and whether it protects card data, along with suggestions as to whether swipe card is dead in the USA and if EMV (Chip n Pin) is the future of payments. The breach exposed personal and financial information on more than 110 million customers.

What is known about the Target Breach?

The hackers stole track data, the data contained within the magnetic tape on the back of cards, from the point of sale (POS) equipment. This attack was originally reported by Target but now involves other retailers in the USA. From the details that have been published. it is apparent the attackers had detailed knowledge of the victim’s networks and third party support companies and applications. Whether this came from careful reconnaissance, social engineering, insider knowledge or a combination of these and other factors is not known.

Using information published by various security researchers I have put together this picture of the attack. However exact details are not known and some points are speculation.

Malware

The attackers affected Target’s infrastructure, this included infecting Target’s POS equipment with a strain of malware that sent the captured card credentials to a compromised central server within Target’s internal infrastructure. This central server was then used in an exfiltration process to get the stolen credentials from inside the Target infrastructure to the attackers outside. The transmitted data was double encrypted to obfuscate the details from any data leakage protection programmes.

An analysis of some of the malware indicates that there’s a good possibility that administration level credentials of a 3rd party application was used in the attack. This 3rd party software is apparently used by a number of retailers in addition to Target. The exact use of the software has not been confirmed, nor if it was the actual attack vector.

The PCI DSS requirement 2 covers the changing of the default username and passwords for systems within scope of the PCI DSS.

The malware in the Point of Sale equipment used a technique known as memory scraping, allowing data held in the RAM of the equipment to be analysed and the card data to be collected. Tills collect the data from the connected swipe devices and then transmit it to a payment processor for the transaction to be authorised. The onward transmission should be protected as per PCI DSS requirement 4 by the use of strong encryption. The weak point is the till, it needs to encrypt the data it receives from the swiped card and this data is stored in memory as plain text. Attackers are now targeting endpoints such as tills as it is the weak point. Requirement 6.5 of the PCI DSS covers the application development and mentions memory scraping.

Additionally, technologies such as endpoint to endpoint encryption as covered in the PCI DSS P2PE standard can help by encrypting data in the card swipe or pen entry devices and not relying on the encryption occurring with software within tills. Moving the weak point to the card device will mean the devices such as card swipes and pin entry devices are at risk and requirement 9.9 in version 3 are about securing these devices against tampering and/or substitution.

Third Party Due Diligence

The hackers got access to the Target infrastructure via the stolen credentials of a HVAC company who have contracts with a number of retailers. These credentials were to allow the company to have remote access to their equipment installed in Target’s facilities for support, monitoring and maintenance activities. The PCI DSS version 3 requires vendors who have access to or affect the security of the cardholder data environment to have unique credentials for each of the customers to ensure that a set of leaked credentials will affect only one client. Whilst not directly relevant to an HVAC company who should not be able to effect security of cardholder data, the PCI DSS often has security principles that will improve the security of an organisation if applied across the organisation.

Compromising the HVAC remote access should not have allowed the attackers to access the cardholder data environment, the PCI DSS requires that systems involved in the process, transmitting or storing of cardholder data or affecting the security of those systems involved in process, transmitting or storing of cardholder data should be protected.

The recommendation is that the cardholder data environment is reduced through segmentation by either physical or logical means, for most organisations this segmentation of the cardholder is the only practical way of reducing the cost of implementing the PCI DSS. Without segmentation, the controls would have to apply to the whole of the organisation. Requirements 1 and 2 of the standard are around the design and protection of a secure card holder data environment. Requirement 11 covers the testing of the segmentation of the cardholder data environment through vulnerability scanning and penetration testing internal and external of the environment. Version 3 of the PCI DSS strengthens the testing of the cardholder environment by specifying that the segmentation methods must be tested to ensure the protection is sufficient to give segmentation.

The PCI DSS

The standard is developed by the PCI Security Standard Council that was founded by five payment brands. It has been developed to provide a baseline of the minimum security required to protect payment cards that a prudent organisation would do to show due diligence in caring for sensitive card data. The question asked was, if Target was compliant to the PCI DSS, then how were they breached? The important part of that question is to remember that the standard does not claim to provide absolute security. However, the PCI SSC states that an organisation must be compliant to the standard at all times.

Conclusion

Until all the facts have come out, which will not be until a conviction has occurred, a lot of how the attack was done will be speculation.

However it is apparent that Target was not compliant at the time of the breach. The PCI DSS if applied fully and correctly will improve the security posture of a company but it will never provide total security. From a risk assessment point of view, it is possible to introduce controls that reduce the risk, but there is always going to residual risk. PCI SSC programmes such as P2PE in conjunction with PCI DSS will improve security of cardholder data, but will not stop all breaches.