[
Update 2008-01-28: I received feedback from Fujitsu Transaction Solutions. They state: "No Fujitsu Transaction Solutions software is on TJX POS terminals or back office servers." This blog entry has been corrected to reflect this feedback.]
My
previous blog entry voiced a concern about point-of-sale vulnerabilities. In particular, some CompUSA stores are reported as
only accepting credit card purchases. As CompUSA sells off everything in their stores, they increase the risk of selling off parts from their point-of-sale solution. This increases the likelihood customer information exposure.
In response to my blog posting, I received the following comment from
Mark Gertenbach:
You may not understand very much: PCI compliance will not allow credit card information to be stored IN the POS.
CompUSA isn't owned or run by CompUSA any more... the same company that owns dozens of other companies that are going out of business owns it now- and as far as not accepting cash- so one local person screws up and you site the entire chain-not sure that is very clear thinking The 7000 people that lost their job went to work everyday to didnt all NOT care, worked hard to make a dollar, and are now working toward closing the storedown, or are already left. Try to put yourself in that position just for a moment.
Rebates are often forced on the retailer from the manufacturer in order to protect their "price vs. value" and they have the final say...Best Buy is accountable for a missing rebate check I never got- but I don't blame them entirely, the manufacturer has done their part to make that happen as well.
As for prices- the less retailers there are ( no matter if it is CompUSA, Macy's, Bombay Co. or someone else that is being liquidated) means eventually prices will go UP at Best Buy and Walmart, and they will be happy to tell you they are still the low price- there will be no one left to compete at any level. Prices have already gone up a Best Buy on certain things.
Dear Mr. Gertenbach,
As
CompUSA's
director of technology services, I am pleased to have you respond to my blog entry. However, I believe you are mistaken.
You stated that "PCI compliance will not allow credit card information to be stored IN the POS." This is false. The closest PCI comes to any such statement is under the PCI Data Security Standard (DSS) Requirement 3: "Protect stored cardholder data" and the PCI PIN Entry Device (PED) checklist item B7 "Sensitive information shall not be present any longer or used more often than strictly necessary." There is absolutely nothing in the PCI that says a PoS device (branch server, terminal, or PED) cannot store credit card information. I strongly recommend that you download and read the
PCI DSS and
PCI PED security specifications.
As an example of a PCI-compliant PoS device, you should take a look at the
Verifone Vx-series. These are PCI PED compliant PoS devices and they can
store credit card information (only accessible with the proper password).
Nearly every point-of-sale system stores credit card information. For non-PED devices, storage is required for common tasks, such as reconciling the day's sales and addressing register discrepancies. As I mentioned in
my paper, Verifone, IBM, Panasonic, and other PoS vendors all explicitly store credit card information. The paper includes references to technical specifications and manuals that describe exactly how to recall the stored credit card information.
Beyond the cash registers are the branch servers. These also store credit card information. Card storage at the branch servers led to last year's
huge TJX compromise and the
2006 OfficeMax compromise. These compromises happened because PoS systems stored credit card numbers on the back end.
Last October a group of merchants
formally requested changes to the PCI and card processing system. In particular, the credit card industry currently requires the storage of credit card information for as long as 18 months. The merchants want this requirement removed. Their argument is that thieves cannot steal what does not exist. However, the credit card industry has not yet addressed this request.
Back to your company: CompUSA is
reported as using "an IBM 4690, an SAP system running on Microsoft SQL Server 2000, and a collection of Oracle databases". How does CompUSA plan to liquify these systems? And what will happen to the local servers found in each store? Unless all drives are securely wiped, it is highly likely that sensitive and personal information will be compromised if any of the hard drives ever get outside of CompUSA.
CompUSA is also
reported to
use Verifone PoS devices. According to these documents, CompUSA may use the Verifone Omni 7000 terminal. These PED terminals are designed to work with PoS devices that
do store credit card information, even if the terminal itself does not.
Your second point was that "CompUSA isn't owned or run by CompUSA any more". A change in management does not alter the point-of-sale systems, the fact that the they are liquifying over 100 stores, or reduce the risk of exposure.
You also mentioned the people who will be losing their jobs as the stores close. While some people at CompUSA probably did care about their jobs, the
consistently rude and
ignorant service and support staff seriously tarnished CompUSA's reputation. While this may have been a minority, they were highly visible. I should point out that this is based on my personal experience as well as
testimonials from other unsatisfied customers. And while I have not visited every CompUSA, the service was consistently bad among the stores I visited -- in California, Nevada, Texas, Illinois, Hawaii, and Colorado.
Your third issues concerned rebates. You wrote: "Rebates are often forced on the retailer from the manufacturer in order to protect their 'price vs. value' and they have the final say". You are effectively saying that vendors are conducting price fixing and exhibiting anti-competitive behaviors. Perhaps that is why the
FTC pursued charges of fraud and deceptive practices against CompUSA's rebate program.
However, if what you say is true about the requirement for rebates, then it would not explain why an item at CompUSA needs a mail-in rebate, while the same item at OfficeMax and Circuit City does not require a mail-in rebate. In the cases that I have seen, the same item sells for the same discounted price, or within a very small difference. It is my understanding that rebates are a negotiation tactic between the merchant (e.g., CompUSA) and the product vendor in order to offer a product for a lower price. The lack of rebate payment, as even you pointed out, is effectively a bait-and-switch tactic. It is no wonder BestBuy decided to
phase out rebates by 2007. (I should point out that it is 2008 and BestBuy has
not yet totally phased out mail-in rebates.) Similarly,
OfficeMax decided to end their mail-in rebate program. In contrast, CompUSA
never phased out rebates.
Finally, you mention that prices will go up as physical retailers become rarer. This is a point of debate since it is based on demand and competition. Brick-and-mortar merchants are competing against online merchants, so prices cannot become too high. And there are always "urgency" and "local access" factors, where online retailers will never succeed. For example, when you need an replacement part right now and cannot wait for Amazon to ship it out. Customers pay for convenience. However, my
previous blog entry only compared physical merchants. There is no reason for CompUSA to be almost
consistently more expensive than competing stores. Even at 20% off, I saw no "bargain prices" at CompUSA.
What we are right now seeing is Darwinism among technology merchants. The high priced, unfulfilled mail-in rebate merchants with poor customer service are the first to go. I do not believe that CompUSA will be missed.
Mr. Gertenbach: I suggest you take the time to learn more about your field. Good luck on your next job.
You appear to have some confusion around the different PCI standards. The PCI PED standard is only concerned with PIN data (hence the PIN Entry Device - PED - moniker). Certainly requirement B7 of the PED standard is concerned only with the secure zeroisation of buffers containing customer PIN blocks and cryptographic keys.
In respect to the PCI DSS requirements, it is forbidden to store Track 2 data, CVV2 data, and PIN block data past authentication (refer to page 4 which contains a list of what items of cardholder data are permitted to be stored).
It is essential that care is taken when referring to a 'PCI compliant' device in the context of a PED, as you do. You correctly reference the Verifone Vx series devices as PCI ( PED ) compliant, but as stated, this makes no comment to their suitability in regards to the PCI DSS requirements, which is the standard that will address your concerns regarding cardholder data.
You also reference the need for payment terminals to store credit card data for the purposes of reconciliation and discrepancy resolution. These are both true, but I would be very surprised to find a company sell off / retire any terminals that had not been reconciled - this is, after all, required for them to get their money. Once such reconciliation has occurred, it is very common (universal in my experience) for such terminals to clear their stored card data.
Finally, reference is made to the requirements of various card brands to store credit card information for a period of time subsequent to the finalisation of the transaction (for purposes of resolving disputes with the customer). However, you do not note that this does not need to be complete data - truncated PANs are sufficient (along with signed receipts if a card present transaction), and indeed if the POS system is PCI DSS compliant this should be all a merchant has access to.
I do agree with you that any PC based systems connected with the POS must be securely wiped, but this also should be addressed by the company as part of its PCI DSS compliance (item 9.10.2).
Excellent points.
You are correct that no PoS component is permitted to store the full Track 2 data, CVV2, and PIN block data after the transaction completes. However, parts of Track 2 can be stored. DSS section 3.2.1 says "Do not store the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data".
The DSS does not say that portions of Track 2 cannot be stored. In fact, it explicitly says, "In the normal course of business, the following data elements from the magnetic stripe may need to be retained: the accountholder’s name, primary account number (PAN), expiration date, and service code." This means that a merchant may store the name, card number, and expiration date. The large compromises such as OfficeMax, TJX, and even Card Systems compromised this "partial Track 2" information. (This partial information is also all that is needed for making a purchase at many "cardable" merchants.)
In contrast to what can be kept, Section 3.2.1 and 3.2.2 explicitly specify that a PCI-compliant device must not store the CVV2 and PIN. This is why phishing sites almost always request CVV2 and PIN information.
With regards to the PCI PED... I actually know that this standard only refers to PIN devices. However, Mr. Gertenbach said that no information could be saved. The only devices that come close to this are the PED devices (or the PED portion of a PoS device). I was giving Mr. Gertenbach the benefit of the doubt that he was confusing related standards. I should have been more clear in my blog entry.
With regards to your statement, "I would be very surprised to find a company sell off / retire any terminals that had not been reconciled." I used to be surprised too, then I started attending auctions. I have yet to see a Verifone TRANZ unit or cash register (most today are actually PCs) get auctioned off after having been cleaned of all stored account information. (Bang head here.) It seems that when companies auction off their inventory due to going out of business, they are no longer interested in PCI compliance. This is probably because it takes time and effort ( = money), and there is little risk of punishment. Visa cannot fine a company that no longer exists.
Also, although not the case of CompUSA, many bankruptcy and foreclosure auctions sell off confiscated property. The auction house rarely has the passcodes to clear PoS devices. In my experience, it is only when companies are upgrading their systems (and not going out of business), that they strive to wipe systems before an auction (and even then, they usually forget about cash registers). However, your experience may differ from mine. (I know a few auction houses that refuse to auction off credit card PoS systems for this reason. However, they will still auction off cash registers.)
The real question becomes: who is going to turn off the lights at CompUSA and will that person remember to wipe the PoS system before it gets auctioned off or disposed of? My conjecture in my previous blog entry was that I doubt it -- CompUSA is at a high risk for being at the center of a huge credit card compromise. And if some stores are only accepting credit cards right before they close the doors, then they increase the size of the potential exposure.