[ISN] Visa warns software may store customer data

InfoSec News isn at c4i.org
Mon Mar 20 03:46:56 EST 2006


http://news.com.com/Visa+warns+software+may+store+customer+data/2100-1029_3-6051261.html

By Greg Sandoval 
Staff Writer, CNET News.com
March 17, 2006

A popular software that retailers use to control debit-card
transactions may inadvertently store sensitive customer information,
including PIN codes, says Visa.

Two versions of cash-register software made by Fujitsu Transaction
Solutions are under scrutiny, according to a warning Visa issued to
the companies that process card transactions for some of the nation's
largest retailers. A Visa representative confirmed that the warning
was sent.

Some of Fujitsu's retail customers include Best Buy, Staples and
OfficeMax, but it is not known which companies use the software Visa
claims is flawed.

Visa's warning, which was first reported by The Wall Street Journal on
Friday, has raised eyebrows in the financial and retail sectors. The
software was flagged at a time when thousands of debit-card holders
across the country have reported unauthorized withdrawals from their
accounts.

Bank of America, Washington Mutual and Citibank are among the
financial institutions that have replaced more than 200,000 debit
cards in the past two months and have told customers that thieves
obtained vital debit-card information as a result of a security breach
at a large merchant.

One commonality among the fraud victims, according to law enforcement
and banking officials, is that most had shopped at one of Fujitsu's
clients: OfficeMax.

The office-supply retailer has said that it has found no indication
that it suffered an illegal intrusion. Fujitsu, which did not return
repeated phone calls from CNET News.com on Friday, denied that its
software has had anything to do with any alleged security breach. A
representative for the company told the Journal that customer data,
such as PIN codes, could not be stored using just its software. Other
software tools would have to be added.

Major credit-card companies have banned the storing of customer data
and can fine merchants who do store such data. The fear is that
customer information may be a sitting duck for hackers should it be
left in a company's computer system.

What may be more worrisome for consumers is that it's not uncommon for
merchants to accidentally stockpile their customers' data, says
Branden Williams, a principal consultant at computer-infrastructure
firm VeriSign.

One of VeriSign's offerings is that it will assess a company's
computer systems to ensure they meet security standards required by
the big credit-card firms.

During his white-glove inspections, Williams said, he has often found
software that would trap customer data, including PIN information,
without the retailer's knowledge. Big companies working with complex
systems are more prone to such slipups he said.

"You could totally understand how they could forget to turn off some
switch," he said.

But Williams said there's no reason for the problem to go unchecked.  
Not only are there companies like VeriSign that will monitor system
security, but Visa also offers a list of software products proven not
to store data.

Neither one of the Fujitsu products, RAFT and GlobalStore, is among
the products approved by the major credit card companies. This doesn't
mean that the software doesn't meet industry standards. It only means
that the software hasn't undergone the review process needed for
sanctioning by the group, according to a note on Visa's site.

"It's really the responsibility of a company doing business to protect
their customers," said Williams. "Especially when you consider what's
at stake: identity theft, bad public relations and potential fines.  
Software vendors should also have their applications checked for any
vulnerabilities that could lead to a security breach."





More information about the ISN mailing list