What If South Carolina Were A Retailer?

Written by Walter Conway
November 7th, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

The recent theft of cardholder data from the State of South Carolina’s computer systems presents an interesting question: What would happen if South Carolina were a retailer? What would the state do, and what would be the reaction of the state’s acquirer and the card brands to the data breach?

To recap briefly, the state announced in early November that hackers had stolen 387,000 payment-card numbers from the state’s tax office. According to this Reuters story, 16,000 of those payment-card numbers were not encrypted. As a result of the loss of the card data—together with the 3.6 million Social Security Numbers and the tax records of 657,000 businesses, none of which was presumably encrypted—the state is looking at a $12 million bill to provide one year’s worth of credit monitoring and identity theft protection to those affected.

South Carolina’s governor has been visible throughout the episode, which also is encouraging. I read one report, however, that quotes the governor as saying: “The industry standard is that most Social Security Numbers are not encrypted. A lot of banks don’t encrypt. A lot of those agencies that you think might encrypt Social Security Numbers actually don’t, because it’s very complicated, it’s cumbersome and there’s a lot of numbers involved with it. So it’s not just that this was a Department of Revenue situation; this is an industry situation.”

If that quote is accurate, it sounds a bit too similar to what may be called the “Barbie defense”, after the infamous ill-fated talking Barbie Doll that whined: “Math class is tough.” Yes, encryption is “tough” (and encryption key management is even tougher). But I bet the state could have managed to encrypt all its data for a lot less than the $12 million South Carolina is spending on identity theft protection for its citizens.

Going even further, PCI DSS provides a pretty solid roadmap for protecting all PII. This is a lesson many organizations in both the private and the public sectors realize.

Leaving aside the loss of all the PII, though, I wonder how the state will be treated versus a retailer that loses 387,000 payment cards, 16,000 of which were in the clear (i.e., not encrypted).

The first step a retailer would take is to implement its Incident Response Plan, which it looks like the state did. Your company has one of those, right? PCI DSS requires an Incident Response Plan in Requirement 12.9, which, unfortunately, is the very last PCI DSS requirement. PCI DSS also requires the plan have some detail as to assigning responsibilities, testing it annually and modifying it to reflect changing circumstances.

After notifying your acquirer, the retailer would likely be told to conduct a forensic investigation. Again, it looks like the state is taking this step, too.

I have no idea if the State of South Carolina has a QSA, but I suspect somebody was paying attention to PCI DSS compliance, because the bulk of the compromised payment cards were encrypted. If that is the case, where did those 16,000 unencrypted card numbers come from? No QSA would let that situation get past him or her unless they didn’t know about it. I hope somebody in South Carolina also spends a few minutes looking into what information the state shared with its QSA and determines conclusively whether something slipped between the cracks or if there might be a “rogue” operation taking payment cards and not following the rules.

Another outcome we have yet to see is whether any fines or sanctions will come from the card brands. The card brands have fined retailers and even not-for-profit institutions like colleges and universities for cardholder data breaches. Will they fine a state? Any retailer that managed to lose this many payment cards would certainly expect a sizeable fine, but does it make sense to fine a state (which will just tax its citizens—the victims—to pay it)? On the other hand, if there is no financial penalty, is it fair to retailers to have two sets of consequences for data breaches: one for retailers and one for government businesses?

Lastly, I wonder if the acquirer will enforce future sanctions on the state, such as holding transactions in reserve or raising its merchant fee? Retailers I speak with, especially small retailers like restaurants, often find these sanctions to be as or more troubling and damaging than the initial fine, because the sanctions impair their ability to continue to accept payment cards profitably.

What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.