Book now with code EOY2025
tpatt100 wrote: » Wait they updated the 40 million originally to 70 million? Now it is 110 million? Wow, Chase emailed me and said my new card was on the way.
fredrikjj wrote: » Once a payment has been validated, why do the stores need to store the credit card number? It seems flawed on a fundamental level.
It depends, primarily on the manner in which they process transactions. If they're clearing transactions in near real-time then the card number and expiration date should only be needed briefly, and may not even need be committed to disk. If they are doing batch processing, they may need to hold on to them a bit longer. That's perfectly fine, but there need to be proper protections on that data while they are holding it, and there should be processes in place to ensure they do not hold it longer than necessary. Protections would include encrypting the data (and all the issues of key management entailed therein) on disk and within any kind of long-term memory cache. Part of the job process in cleaning up after clearing should include deletion of the card records, and ideally there should be a cron job that checks for stale card records in the database just in case something went wonky with the batch job. In a standard POS use model there is no good reason to keep card data around after clearing. The transaction and approval numbers should be all that is needed to reference the transaction later if, for instance, reversal is needed.
bobloblaw wrote: » "The company said it 'began investigating the incident as soon as we learned of it through a leading third-party forensics firm.'" Hmmm... Is it not common practice for a multi-billion dollar company to have a CIRT with well trained computer forensics personnel? Of course, after you having a breach that big you'd probably prefer a third party that isn't trying to cover their own respective butts.
YFZblu wrote: » Answer to that very question on /r/netsec:
antielvis wrote: » What is more scary is these types of incidents are no longer that rare. Where is the responsibility of the business in protecting the data of it's customers?
--chris-- wrote: » Going further off the OP, maybe I should start a thread... Why would anyone run cards in batches if real-time is more secure?
lsud00d wrote: » No, @tpatt100 read my post 2 above yours
the encryption algorithm Target used to protect that data — a standard known as triple DES, or 3DES — is vulnerable in some cases to so-called brute force attacks
On Friday, a Target spokeswoman would not comment on whether the second batch of information stolen from its 70 million customers was encrypted.
the point-of-sale systems customers use to swipe their credit cards are connected to the corporate network like everything else. There is lots of opportunity to compromise individuals through point-of-sale machines and then pivot to the corporate network
Neiman Marcus, confirmed on Friday that it, too, had been breached
Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement.
Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (NIST Computer Security Publications - Home) for more information.
W Stewart wrote: probably cheaper to batch the credit cards at the end of the day than to pay per transaction.
Use code EOY2025 to receive $250 off your 2025 certification boot camp!
