Visa warns software may store customer data
By Greg Sandoval, CNET News.com
Published on ZDNet News: March 17, 2006, 7:07 PM PT
Source: http://news.zdnet.com/2100-1009_22-6051261.html
A popular software that retailers use to control debit-card transactions may
inadvertently store sensitive customer information, including PIN codes,
says Visa.
Two versions of cash-register software made by Fujitsu Transaction Solutions
are under scrutiny, according to a warning Visa issued to the companies that
process card transactions for some of the nation's largest retailers. A Visa
representative confirmed that the warning was sent.
Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax,
but it is not known which companies use the software Visa claims is flawed.
Visa's warning, which was first reported by The Wall Street Journal on
Friday, has raised eyebrows in the financial and retail sectors. The
software was flagged at a time when thousands of debit-card holders across
the country have reported unauthorized withdrawals from their accounts.
Bank of America, Washington Mutual and Citibank are among the financial
institutions that have replaced more than 200,000 debit cards in the past
two months and have told customers that thieves obtained vital debit-card
information as a result of a security breach at a large merchant.
One commonality among the fraud victims, according to law enforcement and
banking officials, is that most had shopped at one of Fujitsu's clients:
OfficeMax.
The office-supply retailer has said that it has found no indication that it
suffered an illegal intrusion. Fujitsu, which did not return repeated phone
calls from CNET News.com on Friday, denied that its software has had
anything to do with any alleged security breach. A representative for the
company told the Journal that customer data, such as PIN codes, could not be
stored using just its software. Other software tools would have to be added.
Major credit-card companies have banned the storing of customer data and can
fine merchants who do store such data. The fear is that customer information
may be a sitting duck for hackers should it be left in a company's computer
system.
What may be more worrisome for consumers is that it's not uncommon for
merchants to accidentally stockpile their customers' data, says Branden
Williams, a principal consultant at computer-infrastructure firm VeriSign.
One of VeriSign's offerings is that it will assess a company's computer
systems to ensure they meet security standards required by the big
credit-card firms.
During his white-glove inspections, Williams said, he has often found
software that would trap customer data, including PIN information, without
the retailer's knowledge. Big companies working with complex systems are
more prone to such slipups he said.
"You could totally understand how they could forget to turn off some
switch," he said.
But Williams said there's no reason for the problem to go unchecked. Not
only are there companies like VeriSign that will monitor system security,
but Visa also offers a list of software products proven not to store data.
Neither one of the Fujitsu products, RAFT and GlobalStore, is among the
products approved by the major credit card companies. This doesn't mean that
the software doesn't meet industry standards. It only means that the
software hasn't undergone the review process needed for sanctioning by the
group, according to a note on Visa's site.
"It's really the responsibility of a company doing business to protect their
customers," said Williams. "Especially when you consider what's at stake:
identity theft, bad public relations and potential fines. Software vendors
should also have their applications checked for any vulnerabilities that
could lead to a security breach."
|
|