As a result of the massive cyber-attack on its point-of-sale (POS) systems, Home Depot is accelerating its move to EMV chip and PIN cards. The company said all stores will be equipped with such terminals by the end of 2014.
The imposition of chip-and-PIN terminals will reduce Home Depot's exposure in the future, but is unlikely to do anything in the short term to protect customers holding the 56 million payment card numbers that were compromised in the cyber-attack.
The Home Depot data breach, first disclosed by the retailer in early September, affected purchases at stores in the United States and Canada between April and September 2014. According to Home Depot's announcement, the breach did not affect stores in Mexico, and did not expose PIN numbers.
Canadian Home Depot stores are already equipped with EMV card readers. However, cards from those stores were also compromised and could still be used for fraudulent remote purchases.
Although counterfeit cards bearing account numbers exposed in the breach now can't be used at Home Depot, they could still be used at stores that haven't upgraded beyond magnetic-strip readers. In addition, those cards would remain vulnerable to "card not present" transactions such as phone and Internet purchases.
In its most recent statement, Home Depot said it learned of the breach from law enforcement and banking partners who were able to correlate payment card numbers offered for sale on a Russian cyber-crime site with Home Depot store locations.
According to several security researchers reached by eWEEK, such lists of credit and debit cards frequently provide location information so that criminals can use the cards where they will be the least likely to raise suspicion.
The company said that the malware that was used to steal the payment card information was custom-written for Home Depot's POS system. According to security blogger Brian Krebs, the malware was apparently installed on self-checkout POS terminals.
Krebs reported that the number of compromised cards actually being used was smaller than most banks expect, which may be related to the fact that the malware only existed on those self-service terminals.
Perhaps more important, Home Depot has also completed a project that encrypts all card data. "The company's new payment security protection locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and effectively useless to hackers.
Home Depot's new encryption technology, provided by Voltage Security, has been tested and validated by two independent IT security firms," the company said in its statement. Voltage Security provides a range of enterprise security products and services, including POS encryption.