Typically, ‘tis the season for joyous shopping. But after the latest POS Security breaches suffered by major retailers such as Target and Home Depot, customers seem to suffer from holiday shopping blues: their trust in credit card payments has dropped, and they’re reluctant to return to stores that have been hacked. According to a recent survey by Princeton Survey Research Associates International for CreditCards.com, 45% of respondents owning a credit or debit card would definitely or probably avoid shopping at one of their regular stores if that retailer had experienced a data breach. Also, only one in eight respondents are still likely to shop with credit cards this holiday season.
This holiday season, customer trust in credit card payments is low due to recent POS breaches. [Tweet this]
However, consumers have lost faith in the whole retail industry, as well as other types of business that accept credit card payments processed through POS systems.
So how can the industry restore customer trust? Of course, a really good sale could make a shopper forget about their security concerns. But, in the long run, the industry has to make sustained efforts to prevent such breaches from happening. Otherwise, the situation is only going repeat itself: trust hindered again, and again until it’s lost completely.
In this article we’ll look at some of the recent breaches to identify the core elements (or lack of) that facilitated the attacks, which, in turn, caused this holiday shopping blues. We will also offer suggestions as to what retailers and parties involved can do to restore people’s trust and prevent future breaches.
Lack of encryption. Reportedly, Home Depot’s in-store payment system was not set up to encrypt customer’s credit and debit card data. This lack of basic security made it easier for hackers to perform the breach. While not all attacked retailers presented this issue, the fact that one high-profile retailer did is appalling, since such a fiasco could have been prevented through chip and signature encryption readers already in use. The solution in this case: point-to-point encryption. It is a crucial measure to take, to ensure customer credit card numbers are encrypted not only at the entry point but throughout the payment process up to and including the database in the store’s back offices. Encrypting the data in transit, at rest and in memory is the recommended measure in all processes involving sensitive information.
#POSSecurity: 85% of POS intrusions are not discovered for weeks. [Tweet this]
Low level of vigilance. The 2014 Data Breach Investigations Report by Verizon shows that 85% of POS intrusions are not discovered for weeks. In fact, in both Target and Home Depot breaches, the hackers may have gained access to the retailers’ networks as long as six months before the breaches were detected. Which begs the question: how vigilant were they? Clearly, every business that accepts credit card payment will have to be ever more vigilant with what happens in their networks – if they’re able to detect anomalies or unusual behavior early on, they can contain the issue and remediate it. Since a network can be accessed from any store in the retail chain that has a server on-site, vigilance needs to start there. Physical network controls should be enabled starting with the network gateways at each retail branch.
No shared responsibility. A National Retail Federation (NRF) survey shows that retail organizations rate customer data theft during breaches as their highest security concern. It shouldn’t come as a surprise though. Attacks on retailers make the biggest headlines since their stores are known and are visited by customers every day. But if they become targets to POS breaches, the responsibility shouldn’t be theirs only. In the POS attack on the nationwide sandwich chain Jimmy John’s, the investigation revealed that their system was compromised after a hacker stole the login credentials from the company’s POS vendor, and used them to remotely access their POS system. Similarly, in the Goodwill POS breach, hackers gained access to their payment operator (C&K Systems)’s system, thus gaining access to Goodwill’s POS system. One may observe that the more parties involved in the credit card payment processing, the greater the possibility they blame one another for a potential breach. How to avoid this behavior? A strong collaboration between the retailer, POS vendor, acquirer and payment processor – all parties involved – must be ensured, to close all potential security gaps. Needless to say, all merchants and companies within this ecosystem including acquirers, payment processors, and issuer bank must comply with the Payment Card Industry Data Security Standard (PCI DSS), or face stiff penalties.
POS security measures: steps to take starting NOW
Of course, the above may serve as food for thought in future business security developments. The industry needs to make coordinated efforts toward raising security standards and clearly communicating these standards to consumers. What businesses employing POS systems should think of as an immediate action, is to communicate more clearly with and educate employees about:
the POS systems they’re working with (from the POS device, to the terminal and software used)
the third-parties involved (from POS vendors to payment processors to banks)
the security risks at every point in the process.
Another immediate action retailers may consider is to deploy tamperproof physical mechanisms to protect POS devices, and have employees check them regularly.