In 2014, retail data breaches were constantly in the news, and 2015 is proving to be just as prolific with respect to the compromise of customer data. According to Experian’s “2015 Second Annual Data Breach Industry Forecast,” retail will hold the lead position among sectors targeted, and small and midsize businesses (SMBs) within the industry may be the most vulnerable. However, new Europay, MasterCard and Visa (EMV) standards call for the widespread use of chip cards in the U.S. for an added layer of security, matching those that have been used in the European market for years. Once U.S. retailers shift to this standard, it should be easier for organizations to protect customer data.

But the shift to EMV payments won’t be easy. The Experian report specifically noted the relatively high cost of implementation for these new technologies as a key vulnerability to SMB security. Larger retailers are able to fund the shift to the more secure chip-and-PIN standard — mandatory by October 2015 — but smaller businesses may be left out in the cold.

What Retailers Need to Know

“When the shift to chip-and-PIN occurs in October, it will be considered the highest level of security available, despite its multiple vulnerabilities. Starting in October, out of all parties involved in a data breach, whomever has the lowest level of security will be held liable,” explained James McMurry, the CEO and founder of Milton Security. “For this reason, credit card companies and retailers will all feel as though they are shielded from repercussions. What retailers don’t realize is that the credit card companies are going to win that fight. Retailers need more than just chip-and-PIN machines to be secure.”

Indeed, compliance with the new standard does not equal security. EMV technology should reduce the instances of fraudulent credit card transactions, but that does not correlate to network infrastructure and data controls being equally secure. “Point-of-sale (POS) systems, the heart of retail, still to this day are run to a large extent on Windows XP systems,” McMurry said. “In addition, quite a number of the applications (POS software) are improperly secured, have remote access turned on so the POS software company can assist with issues. These systems are at the heart of the credit card transactions: improperly secured, remote access capability turned on and the POS vendors are using (in one example we have in our lab right now) their company name as the user name and password to the administrator side of the XP Embedded OS.” Those are all significant risks that could wind up costing SMBs.

SMB Security Tips

With the window for adoption of EMV closing rapidly, the SMB must bite the bullet and upgrade its POS to accept EMV protected transactions — unless it’s prepared to move to a cash-only transaction model. According to The New York Times, the adoption of EMV in Europe resulted in a 65 percent reduction of card fraud. So while the transition is money well spent, retailers must step beyond POS compliance and review — and more importantly, understand — their network architecture so the key points of vulnerability where customer data is at risk are identified and mitigated.

SMB security implementation does not require herculean efforts. It does, however, require the institution of processes and procedures to reduce the risk of data loss to as close to zero percent as possible. For instance, recent malware infections within retail POS systems were occurring when associates browsed the Internet from the POS terminal and fell victim to targeted phish emails, which contained POS malware payloads embedded in PDF or MS Word attachments. The retail POS systems must engage with other programs; for the SMB, it may be that the POS communicates with a third-party gateway, and the transaction must be handled in a manner compliant with the Payment Card Industry Data Security Standard (PCI DSS).

While EMV will require an upgrade of POS technologies, if an SMB’s back end involves antiquated technologies that have been declared “end-of-life,” that organization is accepting unnecessary risk. While we would like there to be a magic box for SMB security, the reality is that retailers must dedicate resources to security at the same level they are investing resources in compliance. The compliance certifications are snapshots in time, whereas security implementation must be both dynamic and omnipresent. New threats will rear their heads repeatedly, and compliance standards will be left in the dust as the reality of securing the customer’s data is affected in real time.

The implementation of the aforementioned processes and procedures by the rank and file of the company requires the education and training of users and personnel, with special emphasis on the “why” behind each measure. Train your personnel, implement the most secure infrastructure your budget permits and ensure you are secure. Such thorough SMB security will lead to a more compliant engagement for the retailer and a more secure experience for consumers.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…