13 Jul How paymentsandco.com could have prevented the Macy’s card breach
Macy’s says cyberthieves hacked the accounts of thousands of the retailer’s online customers, compromising people’s full names as well as their credit card numbers and expiration dates.
The attack, which occurred over roughly six weeks between the end of April and the beginning of June before being shut down, affected consumers registered on Macys.com or Bloomingdales.com. Logins and passwords were taken from sites unrelated to the retailers and then used to access data on both sites.
“We are aware of a data security incident involving a small number of our customers,” a Macy’s spokesperson said in a statement to CBS MoneyWatch. “We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures.”
Customers potentially impacted by the breach have been notified and offered free consumer protection services, the retailer said.
How Paymentsandco.com could have prevented the Macy’s card data breach
- create a new payment compliance strategy – the breach looks like an online attack and makes things easier for the hackers as card data and user profiles are linked together. There is clearly a link here between user name and passwords and their credit cards, we would disassociate these two. Why would any company want to keep these two together. They have no reason to be together and contemporary payment architectures devalue data and fragment data by separating them.
- Tokenise customer cards – we have just implemented our tokenisation service for a client, we still allow customers to register, however, when it comes to customers registering their card, this is not done with the merchant’s website but rather forwarded to Acquiring Bank. The card is converted into a token and kept away from the merchant. The token is then returned to the admin team and this is the record that is kept and can be charged by the admin team. The only entity that knows the relationship between the card and the token is the bank. This clearly involves more work that would have saved Macy’s alot of embarrassment and boost customer confidence.
- never keep customer card data – PAN data or CVV should never be kept and should never be used in the operation of the business. Macy’s is a good retailer and should stay that way, it is not a security company, it should leave security to the people that have dedicated teams and technology to deal with such attacks.
- manage all 3rd parties – we would radically review all 3rd parties that handle 3rd parties involved in taking card payments and take away their access to customer card data, simply because no 3rd party has any use of PAN data. All 3rd parties would be managed to ensure they produce how their systems manage card data.
Point to note – Macy’s would have been signed off as PCI compliant but clearly this did not make them secure, our approach goes beyond PCI compliance but reducing the likelihood of a breach occurring across each payment channel.
we would track every payment channel at Macy’s via our payment dashboard below