Light Dark
June 26, 2015 By Christopher Burgess 3 min read
CISO
Retail
Risk Management

In 2014, retail data breaches were constantly in the news, and 2015 is proving to be just as prolific with respect to the compromise of customer data. According to Experian’s “2015 Second Annual Data Breach Industry Forecast,” retail will hold the lead position among sectors targeted, and small and midsize businesses (SMBs) within the industry may be the most vulnerable. However, new Europay, MasterCard and Visa (EMV) standards call for the widespread use of chip cards in the U.S. for an added layer of security, matching those that have been used in the European market for years. Once U.S. retailers shift to this standard, it should be easier for organizations to protect customer data.

But the shift to EMV payments won’t be easy. The Experian report specifically noted the relatively high cost of implementation for these new technologies as a key vulnerability to SMB security. Larger retailers are able to fund the shift to the more secure chip-and-PIN standard — mandatory by October 2015 — but smaller businesses may be left out in the cold.

What Retailers Need to Know

“When the shift to chip-and-PIN occurs in October, it will be considered the highest level of security available, despite its multiple vulnerabilities. Starting in October, out of all parties involved in a data breach, whomever has the lowest level of security will be held liable,” explained James McMurry, the CEO and founder of Milton Security. “For this reason, credit card companies and retailers will all feel as though they are shielded from repercussions. What retailers don’t realize is that the credit card companies are going to win that fight. Retailers need more than just chip-and-PIN machines to be secure.”

Indeed, compliance with the new standard does not equal security. EMV technology should reduce the instances of fraudulent credit card transactions, but that does not correlate to network infrastructure and data controls being equally secure. “Point-of-sale (POS) systems, the heart of retail, still to this day are run to a large extent on Windows XP systems,” McMurry said. “In addition, quite a number of the applications (POS software) are improperly secured, have remote access turned on so the POS software company can assist with issues. These systems are at the heart of the credit card transactions: improperly secured, remote access capability turned on and the POS vendors are using (in one example we have in our lab right now) their company name as the user name and password to the administrator side of the XP Embedded OS.” Those are all significant risks that could wind up costing SMBs.

SMB Security Tips

With the window for adoption of EMV closing rapidly, the SMB must bite the bullet and upgrade its POS to accept EMV protected transactions — unless it’s prepared to move to a cash-only transaction model. According to The New York Times, the adoption of EMV in Europe resulted in a 65 percent reduction of card fraud. So while the transition is money well spent, retailers must step beyond POS compliance and review — and more importantly, understand — their network architecture so the key points of vulnerability where customer data is at risk are identified and mitigated.

SMB security implementation does not require herculean efforts. It does, however, require the institution of processes and procedures to reduce the risk of data loss to as close to zero percent as possible. For instance, recent malware infections within retail POS systems were occurring when associates browsed the Internet from the POS terminal and fell victim to targeted phish emails, which contained POS malware payloads embedded in PDF or MS Word attachments. The retail POS systems must engage with other programs; for the SMB, it may be that the POS communicates with a third-party gateway, and the transaction must be handled in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS).

While EMV will require an upgrade of POS technologies, if an SMB’s back end involves antiquated technologies that have been declared “end-of-life,” that organization is accepting unnecessary risk. While we would like there to be a magic box for SMB security, the reality is that retailers must dedicate resources to security at the same level they are investing resources in compliance. The compliance certifications are snapshots in time, whereas security implementation must be both dynamic and omnipresent. New threats will rear their heads repeatedly, and compliance standards will be left in the dust as the reality of securing the customer’s data is affected in real time.

The implementation of the aforementioned processes and procedures by the rank and file of the company requires the education and training of users and personnel, with special emphasis on the “why” behind each measure. Train your personnel, implement the most secure infrastructure your budget permits and ensure you are secure. Such thorough SMB security will lead to a more compliant engagement for the retailer and a more secure experience for consumers.

 |  |  |  |  |  | 
Christopher Burgess
CEO at Prevendra

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature