I thought PCI Compliance was supposed to take care of that per defining the standards in network security for POS (Point of Sales) systems?
It did. The article's scenario is a lie. Let me ask you how likely it is that, during the busiest day of the year for this retailer, with thousands of people jammed into long lines, in the one place where there are at least two high resolution cameras pointed at each terminal, a single person or group of persons, could plant multiple devices at multiple stores, within a short period of time, and then remove them after, without leaving any photographic or forensic evidence.
Because guys, that's the story that law enforcement, in collusion with the company, has released to the general public. So yes, this is bona fide conspiracy theory. But it's credible because 1. It only takes a small number of people to keep the secret: Target's senior management and information security, and select law enforcement offices. 2. They all have motivations for doing so -- law enforcement is doubtless aware that releasing true details of the crime would (a) expose a weakness in a Fortune 100 company that, besides processing credit card payments, also maintains personal health data at these locations (Pharmacy). The damage to the company, and indeed the country's economy, would be far in excess of the damage to individual creditors accounts. It makes sense to lie about it. And this story doesn't have to hold forever -- in a few months, when everyone has forgotten about it, the truth will emerge in a court filing when they bring the people responsible up on charges.
Now, all that said -- here's the more likely scenario, which is based on my short employment with this corporation: They hacked their wifi. Unfortunately, Target has repeatedly opted to silence, or even fire, people who object to their security policy, so I do not feel bad about making this public. Target is run by morons -- big surprise, it's a large corporation. Anyone who's worked in IT will have similar experiences -- it's hardly just Target. In this case, they allow full access to any server within their corporate network at each retail location, isolated only by primitive subnet routing to delineate what is and isn't allowed through the choke router. And that's it. Once you're logged into the network anywhere, it's a flat network topology and you can easily make contact with any other node on the network. Every store has multiple wifi routers, and while they do change the keys on an regular basis, it's not all the keys, and not on all the routers -- specifically, they use an inventory-management system within the stores (Those bulky "guns" you see the red shirts carrying) which depends on wifi.
There have been breaches to the network in the past through its wireless access points. These are not generally known to the public, but they have happened, and it has resulted in a number of security problems. Besides the customer's credit card data being stored on POS systems which are booted off DHCP to embedded windows, there's also the IP-based cameras. There are an average of 20 or so at each store, and they use an embedded webserver in each of them, which stream to a central source. The password for the approximately 42,000 devices is the same on each, and is not changed often, if ever, because the firmware lacks the ability to change the password programmically; there's no admin console. Besides the fact that many of these cameras have zoom and rotate features, and some have been known to be installed in positions where rotating the view can show the customers in the changing rooms... they're of sufficiently high quality that you can see the PINs people enter at the POS systems. The cash room, where the money is counted down at the end of every shift, is secured, but also has a camera in it. It's not hard to imagine someone with access to the cameras spying on the managers to acquire their passwords. And that's not even the creepy part: Target has installed ANPR-capable cameras in the parking lots. These cameras are continuously scanning the egress points and recording license plates; Ostensibly to deter shoplifting, this data is also correlated to DMV records to determine the zip codes and certain demographic data available; so-called "non-personally identifiable information". There's also some stores with equipment that monitors the location of active cell phones within the store, plotting out how long customers stand at particular locations (a good indicator of successful advertising), and can uniquely identify and track these customers between stores by using their MAC address embedded in their bluetooth-enabled phones.
And everything I have described meets PCI compliance. I suppose you were expecting something more out of government regulation -- peace of mind, maybe? A sense of security? Let's be clear: Those protocols are there to protect the vendors, not you. Financial systems are designed to be tamper evident, not tamper resistant. Everything is audited and recorded, but access to the data streams and transaction records is not well protected.
Credit card fraud is a multi-billion dollar "black" industry. It's all tracked. Every fraudulent transaction is dutifully recorded and then processed. Little is done to stop it because what's a few billion in fraudulent charges amongst a multi trillion dollar ledger? These guys got creative -- they didn't go after the POS systems, they went after the network. Perhaps fortunately for the customers of Target (and indeed, most retailers), they're only interested in data they can flip on the black market quickly -- a few thousand credit card numbers might be worth ten grand. But the health care data and ANPR records, changing room video, etc., is probably subjectively worth more to us than a number on a piece of plastic. It is fortunate that there is no black market for that data as well, or society would have a very big problem on its hands -- one not easily dismissed as "the cost of doing business."
Again, while I have personal experience with Target, I don't mean to pick on them. All large businesses are the same -- too wrapped up in bureaucracy and blind adherence to policy to be either efficient or effective. All large businesses survive not on intelligent and guided actions, but by inertia -- To borrow from Mr. Newton; "a profit in motion stays in motion until acted upon by an outside force." This level of incompetence is very common in the industry. It just isn't talked about publicly -- and most who do are quietly disappeared or put on watch lists. If people knew how vulnerable our informational infrastructure is, they'd probably be loudly demanding reform. In a career that is viewed as a cost center where every budget-saving move is viewed favorably regardless of what it sacrifices, I rather hope they do find out... but I also know that it's not realistic. Afterall, in just this one tiny example, you can see how law enforcement was co-opted to tell a little "white lie" on behalf of profit. How do you think they'd view someone telling the world the barn door's open, the cows are gone, everything's on fire, and the farmer is drunk? -_-