In 2014, retail data breaches were constantly in the news, and 2015 is proving to be just as prolific with respect to the compromise of customer data. According to Experian’s “2015 Second Annual Data Breach Industry Forecast,” retail will hold the lead position among sectors targeted, and small and midsize businesses (SMBs) within the industry may be the most vulnerable. However, new Europay, MasterCard and Visa (EMV) standards call for the widespread use of chip cards in the U.S. for an added layer of security, matching those that have been used in the European market for years. Once U.S. retailers shift to this standard, it should be easier for organizations to protect customer data.
But the shift to EMV payments won’t be easy. The Experian report specifically noted the relatively high cost of implementation for these new technologies as a key vulnerability to SMB security. Larger retailers are able to fund the shift to the more secure chip-and-PIN standard — mandatory by October 2015 — but smaller businesses may be left out in the cold.
What Retailers Need to Know
“When the shift to chip-and-PIN occurs in October, it will be considered the highest level of security available, despite its multiple vulnerabilities. Starting in October, out of all parties involved in a data breach, whomever has the lowest level of security will be held liable,” explained James McMurry, the CEO and founder of Milton Security. “For this reason, credit card companies and retailers will all feel as though they are shielded from repercussions. What retailers don’t realize is that the credit card companies are going to win that fight. Retailers need more than just chip-and-PIN machines to be secure.”
Indeed, compliance with the new standard does not equal security. EMV technology should reduce the instances of fraudulent credit card transactions, but that does not correlate to network infrastructure and data controls being equally secure. “Point-of-sale (POS) systems, the heart of retail, still to this day are run to a large extent on Windows XP systems,” McMurry said. “In addition, quite a number of the applications (POS software) are improperly secured, have remote access turned on so the POS software company can assist with issues. These systems are at the heart of the credit card transactions: improperly secured, remote access capability turned on and the POS vendors are using (in one example we have in our lab right now) their company name as the user name and password to the administrator side of the XP Embedded OS.” Those are all significant risks that could wind up costing SMBs.
SMB Security Tips
With the window for adoption of EMV closing rapidly, the SMB must bite the bullet and upgrade its POS to accept EMV protected transactions — unless it’s prepared to move to a cash-only transaction model. According to The New York Times, the adoption of EMV in Europe resulted in a 65 percent reduction of card fraud. So while the transition is money well spent, retailers must step beyond POS compliance and review — and more importantly, understand — their network architecture so the key points of vulnerability where customer data is at risk are identified and mitigated.
SMB security implementation does not require herculean efforts. It does, however, require the institution of processes and procedures to reduce the risk of data loss to as close to zero percent as possible. For instance, recent malware infections within retail POS systems were occurring when associates browsed the Internet from the POS terminal and fell victim to targeted phish emails, which contained POS malware payloads embedded in PDF or MS Word attachments. The retail POS systems must engage with other programs; for the SMB, it may be that the POS communicates with a third-party gateway, and the transaction must be handled in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS).
While EMV will require an upgrade of POS technologies, if an SMB’s back end involves antiquated technologies that have been declared “end-of-life,” that organization is accepting unnecessary risk. While we would like there to be a magic box for SMB security, the reality is that retailers must dedicate resources to security at the same level they are investing resources in compliance. The compliance certifications are snapshots in time, whereas security implementation must be both dynamic and omnipresent. New threats will rear their heads repeatedly, and compliance standards will be left in the dust as the reality of securing the customer’s data is affected in real time.
The implementation of the aforementioned processes and procedures by the rank and file of the company requires the education and training of users and personnel, with special emphasis on the “why” behind each measure. Train your personnel, implement the most secure infrastructure your budget permits and ensure you are secure. Such thorough SMB security will lead to a more compliant engagement for the retailer and a more secure experience for consumers.