Spotlight on PCI Compliance as Romanians Plead Guilty to $10m Credit Card Scam

Between 2009 and 2011 a $10m scam aimed at stealing credit and debit card data from payment terminals at hundreds of Subway restaurants and other merchants across the US led to the compromise of more than 146,000 payment cards and more than $10m in losses. Two of the four Romanian nationals charged who were extradited to the US in May have confessed their involvement.

Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud. Cezar Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud. As part of a plea-bargaining agreement each agreed to plead guilty in return for lesser sentences.

The US Dept of Justice reports Dolan had hacked into these systems to install keystroke logging applications, which then recorded card data from swiped cards before transferring this information to dump sites. Dolan had to crack passwords in some instances in order to circumvent the remote desktop applications, which in normal use were used to update the software on POS terminals.

Butu has admitted to attempting to make fraudulent transactions using the stolen credit card data as well as selling the plastic cards data to co-conspirators. The confessions implicate alleged ring-leader Adrian-Tiberiu Opera, a Romanian national extradited to the US and awaiting trial in New Hampshire over his alleged involvement in the scam.

The damage done to Subway — and in particular to the small businesses involved in the data breach can be significant if not devastating. Smaller companies don’t often have the resources to absorb the financial damage caused by the incident. The average data security breach is $20,000. Just one breach can cost the merchant business tens of thousands of dollars in fines, audit expenses, and card monitoring and replacement costs.

The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

According to the Ars Technica report, many of the Subway franchises were provided access to some more advanced data security measures, but chose to disregard them for one reason or another, whether it was to speed up processes or just out of convenience.

This raises attention to PCI Compliance and what companies need to do to comply with the set industry standard established by Visa/MasterCard/Discover/Amex/JCB, because if you’re not in compliance, you’re putting your entire business at risk. The Payment Card Industry Data Security Standard (PCI DSS) must be met by any merchant that accepts credit cards, debit cards, and/or EBTs.

A successful business is based on trust between you and your customers. PCI compliance helps establish that important level of trust and feeling of security for consumers who entrust their sensitive credit or debit card information to be safe with you.

PCI compliance is an ongoing process and a series of best practices that help protect your corporate security and the sensitive personal data of your customers.

Merchant Express® provides the education, assistance and services that all of our merchants require to achieve and maintain PCI compliance — one of the most effective measures for locking down data security. Never underestimate the ability of PCI compliance to improve a company’s protection standing. It may be simpler than you think and it should never be ignored.