June 11, 2015
The point-of-sale (POS) breaches that plagued retailers in 2014 are back with a vengeance this year, writes Patrick Sweeney, Dell Security executive director, at cio.com.
Of course, POS systems include hardware and software and are used by retailers to complete business transactions. A breach is an attack by cyber criminals to steal confidential information such as 16-digit payment card numbers. But other POS data such as personally identifiable information and merchant ID numbers are stolen too. This information is often sold in underground markets and used for identity theft and fraud.
Here’s what every business needs to know about point-of-sale breaches and POS fraud.
Easy Targets. Cyber criminals target POS systems because they’re so widely available. Half of the world’s credit card fraud occurs in the U.S. (which is the world’s single largest user of payment cards).
Technology. The – dated – magnetic strip technology is still widely used in North America but that’s about to change. Any retailers who want to use credit and debit cards must adopt EMV Chip and PIN technology by October of this year if they haven't already. The PCI (Payment Card Industry) Security Standards Council provides information on PCI compliance. The encrypted code technology of EMV cards, combined with PIN protection, will make transactions 700 times more secure, according to an article at privacyassocation.org. But as the deadline approaches, cyber criminals will likely increase their attacks on POS, warns Experian’s 2015 Second Annual Data Breach Industry Forecast.
All Retailers at Risk. While large retail breaches seem to dominate in the headlines, small and medium-sized businesses are also victims, according to this pcworld.com article. The smaller retailers are a target because their POS systems are usually not as safeguarded as larger systems. In 2014, the average cost per lost or stolen record was $201, according to the Ponemon 2014 Cost of Data Breach Study: United States report.
Quick-minded Criminals. Security experts say that once Chip and PIN technology is adopted it won’t be long before cyber thieves find new vulnerabilities to target. Either way, retailers are encouraged to improve the security of their infrastructure and have an incident response plan in place.
Internet Connection. The Cisco 2014 Midyear Security Report on Industry Trends said being connected to the internet provides criminals with a point of entry to corporate networks. Unless a POS system needs Internet access, industry experts recommend that it is completely firewalled from the internet and WiFi to prevent external threats.
Variety of Attack Methods. A SANS Institute whitepaper explains that attack methods include skimming and memory scraping, which intercept payment card data. Another way criminals get access to a network is to send a malicious attachment or link in a spear-phishing email to an individual in a company. That’s why it’s important to educate employees about both attack methods and information security best practices in the workplace.
Third Parties. The SANS Institute whitepaper said that third parties to organizations can be a weak link in an organization’s data security armor. Third parties are usually small businesses that think they won’t be targeted and therefore are lax in information security. Choose reliable and security-minded third party vendors.