If you received a phone call from Target’s customer service department about your credit card, you were probably one of the 40 million people whose information was stolen in a recent hack. Target and its customers fell victim to a common hack called RAM scraping. While RAM scraping isn’t new, the Target security breach shows that current PCI compliant security requirements aren’t enough to protect customer data.
How Credit Card Purchasing Works
Before you understand how hackers stole credit card numbers, you first need to know how retail stores process charge card purchases. You give the cashier your credit card, and the cashier swipes your card through a reader. The reader stores your credit card information in memory and sends the data to the merchant account processor. The merchant account processor transmits the data to your bank and then sends an acceptance or denial message back to the cashier.
The most important part of any credit card transaction is encryption. All of these transactions must be encrypted for a retailer to meet security compliance standards. Current PCI security standards require retailers to encrypt all data transferred from the internal retailer network to an external system such as a merchant account processor. However, there are no encryption requirements for data transferred within the retailer’s network, and it’s this issue that allows hackers to access unencrypted credit card information.
RAM Scrapers
RAM scrapers are virus programs injected into a retailer’s network to scan credit card systems for customer information. The program runs in the computer’s background as credit cards are swiped and stored. When a credit card is swiped, the system stores the account number in memory without any encryption. For its ability to steal data from RAM, the virus is given the name “RAM scraper.” These viruses are able to grab not only credit card numbers but any customer information stored in the computer’s memory.
In Target‘s case, the RAM scrapers were installed on multiple computers for several weeks, which is why the hackers were able to steal an enormous amount of data. The hack started with a phishing email sent to a third-party Target vendor. This phishing email revealed key user names and passwords that allowed hackers to inject the virus.
Target’s security breach is just one of several prominent retailers that have fallen victim to RAM scrapers. Walmart, Macy’s and Neiman Marcus have all had credit cards stolen from unencrypted data.
If you own a retail store, you can’t change the way a card reader works, but you can take steps to protect your customers from RAM scrapers. Keep antivirus software installed on cashier computers and don’t connect inside sales computers to the Internet. Instead, have your cashier computers send credit card numbers to a central server that then sends encrypted data to a merchant account processor. This alternative process clears the credit card readers’ data from memory, so only a limited amount of data is exposed to viruses. Avoid giving critical access to third-party vendors when it’s not needed and monitor any strange network activity. You can’t guarantee a hacker won’t uncover a security hole, but these few steps can help deter vulnerabilities.