Criminals love credit cards. As a new white paper from Symantec pointed out, credit card-related theft is one of the earliest types of cybercrime, and as we’ve seen by the recent retail breaches, credit and debit cards remain a prime target. The white paper added that Point of Sale (POS), the point at which the retailer first gathers credit card data, has become a favorite way for the bad guys to steal the data. The reason they like it so much is simple: Security hasn’t kept up with technology. These gaps make it easier than ever for thieves to take aim at retail credit card data by using POS malware.
In a Symantec blog post, Orla Cox explained:
POS malware exploits a gap in the security of how card data is handled. While card data is encrypted as it’s sent for payment authorization, it’s not encrypted while the payment is actually being processed, i.e. the moment when you swipe the card at the POS to pay for your goods. . . . Most POS systems are Windows-based, making it relatively easy to create malware to run on them.<
I’ve heard stories of class-action suits against Target for the credit card breach, and I’ve heard many people say they wouldn’t shop in Target again because of the breach. As Symantec’s research clearly shows, however, that this type of breach can happen to any company that accepts credit and debit cards.
I’m a huge sports fan, and one thing I’ve learned over the years is that championships aren’t won by one player alone. Take last night’s Super Bowl, for instance. Peyton Manning has been showered with almost all of the blame for Denver’s loss, and yes, while he tossed a few interceptions, he wasn’t responsible for keeping Seattle from scoring. Nor is he responsible for his receivers running foolish routes after a catch. Everybody has to work together or the game plan falls apart.
Retail security isn’t much different from the team-sport concept. In a letter to the U.S. Senate Committee on Banking, Housing & Urban Affairs Subcommittee on National Security and International Trade and Finance, Retail Industry Leaders Association (RILA) stated:
While retailers understand and manage their internal systems and security, they have little or no influence over the actions taken by other players in the payments universe, actions with enormous implications on fraud. Instead, retailers must rely on others in the payments ecosystem to dictate critical security decisions, including card technology, retailer terminals, and when data can be encrypted during the transmission between retailers and the card networks. Retailers have long argued that the card technology in place today is antiquated and because of that criminals can use stolen consumer data to create counterfeit cards with stunning ease. For years, retailers have urged banks and card networks to adopt the enhanced fraud prevention technology in use around the world here in the United States. While their resistance to doing so has been great, retailers continue to press all other stakeholders in the payments system to this a priority.
We know how the bad guys are accessing credit card data, and they will continue to breach this information for as long as they are able, no matter how large or small the company. It’s time for everyone in IT security to focus as a team and work together to create a more secure payment system.