[Dataloss] TJX breach shows that encryption can be foiled

DAIL, ANDY ADAIL at sunocoinc.com
Tue Apr 3 14:33:31 UTC 2007 

Some attorneys and CPA's will make the case that you should retain
transaction records for a period of 7 years in the event of a tax audit.
This requirement does not necessarily include the credit card number,
just a record of the transaction.  The only reason to store the number
would be in the event of a charge-back, but if you have the card number
only, and the date & transaction amount, you can still deal with the
charge-back.  Another reason might be to attempt to data-mine purchases
by a specific card number and attempt targeted advertising, or sell the
demographic data.  Still, that's something I'd outsource and get that
data off of MY servers.


However, if you are storing any track data after the authorization
you're in violation of the PCI-DSS v1.1 in a couple of places.  The
preface of 1.1 states quite clearly:  ** Sensitive authentication data
must not be stored subsequent to authorization (even if encrypted).


Section 3 deals specifically with data retention and again states not to
retain data after authorization. 
It does provide a caveat, but unless you're in the data mining business,
I can't think of a reason (at least in our business model) that we'd
want to retain this data one second longer than necessary:

[Quote] PCI DSS v1.1 section 3.2.1 In the normal course of business, the
following data elements from the magnetic stripe may need to be
retained: the accountholder's name, primary account number (PAN),
expiration date, and service code. To minimize risk, store only those
data elements needed for business. NEVER store the card verification
code or value or PIN verification value data elements. Note: See
"Glossary" for additional information. [End Quote]

If you stop and think about the liability you take upon yourself when
you allow this data to reside in your company, you'd probably purge your
servers of it as expeditiously as possible.  A good analogy, I think,
would be this:  Keeping card data you are not actively using, is like
agreeing to allow a friend to store his illegal drugs at your house,
because the police are watching his house. 

It just doesn't make sense to take that kind of risk, and it is the sort
of risk that provides no sort of positive return.  It's just risk that
sits there waiting for the law of averages to bite you.




-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Sean Steele
Sent: Tuesday, April 03, 2007 9:01 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled


I'm familiar with PCI-DSS standards for DAR encryption for cardholder
information, but less sure of retention requirements.

Does anyone know conclusively if TJX was simply retaining cardholder
data per regulations?

-Sean

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY
Sent: Tuesday, April 03, 2007 9:49 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled



I don't care if you're using 1024 bit encryption with an atomic
booby-trap, there is no business reason to retain that much card data
for such a long period after authorization. Especially magnetic track
data!!

In the final analysis, if the data were not being retained, the data
could not be stolen.

TJX is a perfect case-in-point of a retailer who is afraid to purge
historical data, or does not spend the effort to triage the data to
determine what is obsolete.  Data Management policy anyone?



-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
Sent: Monday, April 02, 2007 5:42 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled



On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote:

> It should make for a short list of suspects, assuming TJX was doing a
> reasonable job of key management...

That (reasonable key management) is a critical assumption.

I'd be interested in learning what algorithm (and implementation
thereof) they were using, as well.

Not holding my breath on that info :^)

cw
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 203 million compromised
records in 609 incidents over 7 years.

This message and any files transmitted with it is intended solely for
the designated recipient and may contain privileged, proprietary or
otherwise private information. Unauthorized use, copying or distribution
of this e-mail, in whole or in part, is strictly prohibited. If you have
received it in error, please notify the sender immediately and delete
the original and any attachments.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 203 million compromised
records in 609 incidents over 7 years.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 203 million compromised
records in 609 incidents over 7 years.

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

More information about the Dataloss mailing list