TECH
10/29/2014 12:23 pm ET Updated Oct 29, 2014

Why Credit Card Companies Couldn't Stop Hacks At Target And Home Depot

Bloomberg via Getty Images

While public outrage over recent data breaches has focused mostly on the retailers that were hacked, several security experts say the credit card industry shares some of the blame.

More than a decade ago, as concerns over cyberattacks were growing, the major credit card companies -- including Visa, MasterCard, American Express, and Discover -- unveiled a strategy to fight hackers. In 2001, they began requiring businesses to meet a checklist of security rules to prove they were protecting credit card data on their computers.

Those security tests have failed to stop the growing number of cyberattacks against retailers this past year. Two of the biggest retailers to get hacked -- Home Depot and Target -- say they passed the security tests before hackers stole the debit and credit card data of a combined 96 million consumers from their computer systems.

One former Home Depot security employee told HuffPost that complying with the credit card industry’s rules had done little to help the retailer protect consumers’ data.

“You can have hackers crawling all over your network and still be compliant,” said the former employee, who asked not to be named because he still works in the security industry. “To most security guys, it’s just a box you check to protect the CEO. It’s not real security.”

The security tests have been a key part of how credit card companies have tried to protect consumers’ payment information from hackers. The industry says the tests provide a useful measure of how a business is protecting its computer system, and those that pass the test can still get hacked because they stop following the guidelines.

“Security needs to be business as usual -- protecting your customers’ payment card data, around the clock, every day,” said Troy Leach, the chief technology officer of PCI Security Standards Council, a credit card industry group that maintains the security guidelines.

In the wake of numerous cyberattacks, the credit card industry is now introducing another strategy. Companies are issuing new credit cards that use an embedded microchip and a PIN code instead of a magnetic stripe and a signature to authorize transactions. Such technology is supposed to make it harder for thieves to make purchases with stolen credit card data or make counterfeit cards.

The credit card industry should have introduced more secure cards a decade ago "when there was still time to do something," said Avivah Litan, a security analyst at Gartner, a technology research firm. In a blog post earlier this year, Litan said the industry’s security standard has “largely been a failure when you consider its initial purpose and history.”

“Visa and MasterCard didn’t want to pay for this so they stuck retailers with the security problem,” Litan said in an interview. “Now it’s too late.”

The failure to shut down cybercrime has affected both credit card companies and retailers. The payment industry lost $7.1 billion last year to credit card fraud, a 29 percent increase from the previous year. That is a small fraction of the $158.6 billion in revenue the industry is expected to generate this year.

In February, Target reported a 5.5 percent drop in transactions just a few months after a massive credit card breach at its stores during the last holiday season. It was the retailer’s largest quarterly drop in six years.

The security tests were supposed to stop thieves from stealing credit cards by creating rules for businesses to follow. In 2005, a Visa executive told Congress the rules would "ensure that the customer information that Visa's members have got is kept protected and secure."

The tests are based on a standard called PCI-DSS that is updated by the council every three years. Major retailers are required to hire outside security firms to test their computer security and can face fines if they fail. Merchants must meet more than 400 requirements, like installing firewalls, updating antivirus software, and ensuring that credit card readers haven't been tampered with.

Critics question whether the rules are effective. The guidelines don't require credit card information to be encrypted while traveling through a private computer network and hackers now use tools that steal data as it moves, according to Wired.com. The audits are conducted only once a year, so they may not provide a full picture of a retailer’s security. In addition, some security firms that do the testing also sell solutions that help retailers meet the requirements, which Litan called a "huge conflict of interest."

The recent credit card breaches "show that there’s something fundamentally wrong with the payment card data security standard we’re all reliant on," Slava Gomzin, a security researcher for Hewlett-Packard, wrote earlier this year in Venture Beat.

Security firms say that a passing grade does not mean a business is hacker-proof.

The security standard “goes a long way toward reducing the risk of compromise,” said Alan Ferguson, an executive vice president at Coalfire, which conducts security audits for retailers. “But the standard alone isn’t going to guarantee that you don't have a breach.”

The Home Depot attack is still being investigated, so it is unclear whether the credit card breach was caused by shortcomings with the industry's security rules or by the retailer’s failure to follow them.

Home Depot spokesman Stephen Holmes said the retailer hired Solutionary, an Omaha-based security firm, to test the retailer's computers. Solutionary declined to comment, citing agreements with clients to not speak about specific incidents.

Home Depot passed security tests from 2009 until its last one in 2013, Holmes said. From April until September of this year, hackers roamed through Home Depot’s computer system, stealing card data belonging to 56 million people. It was the largest known retail breach in history.

CONVERSATIONS