Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

I think I have asked the question before, but I'll ask it again ... where did the PINs come from?  Undoubtably, $9 million is a lot of money to extract from ATMs around the world, but how can it be done without the PINs?  The only way of obtaining PINs, as far as I am aware, is by shoulder surfing, using video cameras to act as surrogate shoulder surfers, or by tweaking POS equipment to steal the PIN as it is keyed.  As PINs are present only at the terminal and, in the case of online PIN, encrypted in the authorisation request, these are the only places they could be harvested.  It doesn't seem likely that the crims were shoulder surfing individual cardholders and then collecting the card details from blagged authorisation and settlement messages - that looks too much like hard work.  If it really was a $9 million scam, the only possibility I can think of is that the (online PIN) authorisation messages were compromised, along with the PIN encryption keys, or someone, somewhere, somehow, has cracked the cryptography!  

PCI:DSS, or as we used to say, "good practice", is simply a list of sensible things to do - it was "invented" because some transaction processing wizzkids wouldn't recognise good practice if it was standing in front of them with a big "good practice" stick in one hand, a "good practice" notebook and pen in the other, and was wearing a tee-shirt proclaiming in big letters: "I am good practice practitioner".  PCI:DSS was mandated because the transaction processing world were in the habit of leaving the gate open; PCI:DSS might now be closing the gate, but it doesn't look like the lock works particularly well. 

So, the transaction and cardholder data has been compromised.  That's clearly not good, and it's certainly not "good practice", but the question about the PINs remains, and questions relating to encrypted PINs ought to be considerably more concerning than the headline grabbing breach in security that allowed access to the data in the first place.

By some means, it seems that the crims have got hold of $9 million worth of PINs.  Why is no one concerned???  And, can anyone tell me how they did it?

Dave, you are assuming that to use a card you need a pin.  This isn't the case.  Any CNP transactions e.g. internet purchases will not require a pin.

Steve

I can only assume that visa is desperate to not have PCI and their card processing methodologies lose all credibility. It hasn't really protected anyone so far has it? If so who? Their whole approach just leads to tears as far a I can see. Expensive and unreliable. Merchants just want to sell stuff. Just because you slap a dreamy standard on something doesn't mean it will be possible to comply, or that even compliance will make any difference.

Steve, the article refers to a "global ATM heist", not internet purchases.

I agree with David. This is very disturbing. Having the PINs encrypted at all time, in environments like this, has been a requirement long before PCI DSS came around.

Thanks Adam.

Steve, it says it was an ATM scam, which means PINs.  What I don't understand is where did the PINs come from.  Also, something else I don't understand: if the scam involved multiple copies of cards, the crims couldn't have extracted more per day than the account withdrawal limit.  

This whole story makes no sense.  Please, someone tell me how it was done, that I might sleep easily.