BreachExchange mailing list archives
Re: TJX breach shows that encryption can be foiled
From: "DAIL, ANDY" <ADAIL () sunocoinc com>
Date: Tue, 3 Apr 2007 10:33:31 -0400
Some attorneys and CPA's will make the case that you should retain transaction records for a period of 7 years in the event of a tax audit. This requirement does not necessarily include the credit card number, just a record of the transaction. The only reason to store the number would be in the event of a charge-back, but if you have the card number only, and the date & transaction amount, you can still deal with the charge-back. Another reason might be to attempt to data-mine purchases by a specific card number and attempt targeted advertising, or sell the demographic data. Still, that's something I'd outsource and get that data off of MY servers. However, if you are storing any track data after the authorization you're in violation of the PCI-DSS v1.1 in a couple of places. The preface of 1.1 states quite clearly: ** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted). Section 3 deals specifically with data retention and again states not to retain data after authorization. It does provide a caveat, but unless you're in the data mining business, I can't think of a reason (at least in our business model) that we'd want to retain this data one second longer than necessary: [Quote] PCI DSS v1.1 section 3.2.1 In the normal course of business, the following data elements from the magnetic stripe may need to be retained: the accountholder's name, primary account number (PAN), expiration date, and service code. To minimize risk, store only those data elements needed for business. NEVER store the card verification code or value or PIN verification value data elements. Note: See "Glossary" for additional information. [End Quote] If you stop and think about the liability you take upon yourself when you allow this data to reside in your company, you'd probably purge your servers of it as expeditiously as possible. A good analogy, I think, would be this: Keeping card data you are not actively using, is like agreeing to allow a friend to store his illegal drugs at your house, because the police are watching his house. It just doesn't make sense to take that kind of risk, and it is the sort of risk that provides no sort of positive return. It's just risk that sits there waiting for the law of averages to bite you. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Sean Steele Sent: Tuesday, April 03, 2007 9:01 AM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I'm familiar with PCI-DSS standards for DAR encryption for cardholder information, but less sure of retention requirements. Does anyone know conclusively if TJX was simply retaining cardholder data per regulations? -Sean -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of DAIL, ANDY Sent: Tuesday, April 03, 2007 9:49 AM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I don't care if you're using 1024 bit encryption with an atomic booby-trap, there is no business reason to retain that much card data for such a long period after authorization. Especially magnetic track data!! In the final analysis, if the data were not being retained, the data could not be stolen. TJX is a perfect case-in-point of a retailer who is afraid to purge historical data, or does not spend the effort to triage the data to determine what is obsolete. Data Management policy anyone? -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh Sent: Monday, April 02, 2007 5:42 PM To: dataloss () attrition org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:
It should make for a short list of suspects, assuming TJX was doing a reasonable job of key management...
That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
Current thread:
- TJX breach shows that encryption can be foiled lyger (Apr 01)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 02)
- Re: TJX breach shows that encryption can be foiled Adrian Sanabria (Apr 02)
- Re: TJX breach shows that encryption can be foiled Avery Sawaba (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled DAIL, ANDY (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Childers (Apr 03)
- Re: TJX breach shows that encryption can be foiled Sean Steele (Apr 03)
- Re: TJX breach shows that encryption can be foiled Casey, Troy # Atlanta (Apr 02)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 02)
- <Possible follow-ups>
- Re: TJX breach shows that encryption can be foiled Dissent (Apr 03)
- Re: TJX breach shows that encryption can be foiled Chris Walsh (Apr 03)
- Re: TJX breach shows that encryption can be foiled Donald Aplin (Apr 03)
- Re: TJX breach shows that encryption can be foiled James Ritchie, CISA, QSA (Apr 03)
- Re: TJX breach shows that encryption can be foiled Katie Felten (Apr 03)
- Re: TJX breach shows that encryption can be foiled Dan Good (Apr 03)
- Re: TJX breach shows that encryption can be foiled B.K. DeLong (Apr 03)