The Target Corporation Hack

As someone who has had the unenvious job of performing PCI (Personal CardHolder Information) audits for companies in the past, I was a bit shocked when I first heard about the scope of the Target hack, which is reported to possibly reach 110 million card numbers. The problem with this situation is, it simply should never have happened. PCI compliancy exists as a self-policing mechanism for companies to validate their internal infrastructure and insure that everything is setup in such as way as to keep PCI data secure, and inaccessible from the outside world. Now that Target has come out with their initial analysis of the hack, the claim is that the POS (Point of Sales) systems themselves were all compromised via malware. For the hack to happen as Target has suggested, POS machines must be accepting software updates from a network, in order to allow the attackers to download the malware. If this is true, it's simply not how a company such as Target Corporation should have been handling the security of the POS systems. With this sort of setup, all an attacker would need to do is infiltrate the internal network where the POS systems communicate, and compromise a central server likely responsible for updates, or slightly more bothersome, being forced to push the updates themselves to each POS system. Once done, all transactions in memory would be able to be sniffed and transmitted out. Like most have already said, given the nature of the hack I would not surprised if it involved inside knowledge from a current or former employee.