I've been catching up with the latest Target breach details, and current speculation is that the retailer may not have been complying with PCI DSS regulations in a number of ways. Can you shed any light on the incident? What PCI provisions may have been violated?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Available details about the true cause of the Target breach are still sparse, but reports have indicated that the retailer may have used a software package in its environment called Performance Assurance for Microsoft Servers. In a recent analysis, industry expert Brian Krebs noted that the attack leveraged an account named "Best1_user." BMC Software Inc., the company behind Performance Assurance, has a knowledge base article that indicates the "Best1_user" account is used for administrative actions within the software, though the company states that the account can't be used to log in to a system. (Since Krebs' story was published, BMC Software has released a statement denying that its flaws in its products were involved in the Target breach, and that the company has heard from neither Target nor investigators on the matter.)
Performance Assurance is a systems management package that, when used to manage cardholder data environments, is clearly within the scope of the Payment Card Industry Data Security Standard (PCI DSS). If the allegations about a default password are true, the use of Performance Assurance in this manner may not comply with PCI DSS regulations. The smoking gun may lie in BMC's knowledge base article, which states, "If the system administrator changes the account password from the default to something else, the Best1_User account can no longer be used by the BPA agent for sending MAPI e-mail and the Investigate script action features will not function (it would be similar to the behavior if the Best1_User account did not exist)."
Target may have run afoul of a number of relevant PCI DSS provisions. First, PCI section 2.1 mandates that organizations "always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network." The standard goes on to state, "This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts…."
It is hard to imagine how Target could have been PCI compliant while using Performance Assurance with the Best1_User account. In addition, the password complexity and change provisions contained within PCI DSS section 8 are also likely to present compliance challenges.
The moral of the story is that businesses should remember that PCI DSS applies to all systems in the payment card environment, not just those that directly handle credit card information!
This was first published in February 2014