Target says that 40 million credit card numbers could have been stolen by hackers.
But here’s my problem with that.
As someone who has access to a merchant account, not only am I contracturally-obligated to remove credit card numbers from my computer after I run them through the “virtual merchant” website, the PCI compliance crap I have to recertify every year also requires me to keep a scanner program running in the system tray that checks on a regular basis to see if I’ve inadvertently (or hell, advertently) managed to do that anyway. Bottom line: I have no credit card numbers sitting around for anyone to hack off of my computer.
So what in the hell was Target doing with 40 million credit card numbers sitting around in its billing systems in the first place? I understand the concept of batch processing credit card transactions, but you’re supposed to DELETE the card numbers after you process them! Were they that far backlogged, for crying out loud? But even more importantly, why were those billing systems directly connected to the Internet, and not tied into a VPN or other private, non-outwardly-facing network? The only thing that would have to be connected to the Internet would be the machine sending the batches to the credit card processor, and it could be disconnected until needed.
I’m just damn glad that neither Sally nor I bought anything in a Target store between November 27 and December 15. We both know we haven’t been to Target since before September 30, when she had her hip operation.