I don’t often write about individual data breaches, but when I read a comment in eSecurity Planet that point-of-sale (PoS) breaches are increasing because of continuing security shortfalls in the retail industry, I thought it was time to comment.
In an email comment, Richard Henderson, global security strategist with Absolute Software, told me:
An interesting side note here is that Chipotle encourages customers to pay with cards in order to speed up transactions and keep their long lines moving fast… it’s no wonder they were targeted by cybercriminals.
This comment caught my eye because this push toward using credit cards isn’t just a Chipotle thing. I get nasty looks from both cashiers and customers whenever I hand over cash for a payment, and the cashier asks several times if am I sure I don’t want to use plastic. Yet, even with credit card payments being all but mandatory in retail, PCI compliances, and the focus on EMV chip adoption, companies are still failing to keep credit card data secure.
These increasing attacks on PoS systems only hurt businesses in the long run. A new survey conducted by Gigya found that 68 percent of consumers are concerned about how brands use their personal data and 69 percent are worried about security and privacy risks. Another 63 percent said that it is time for them to take their security into their own hands – and that could mean no longer doing business with an organization that compromised their personal records. That’s very bad news for any company, but especially one that has had its share of customer snafus.
Has the time come to rethink the way to approach credit card protections? John Christly, global CISO with Netsurion, said yes, telling me in an email comment:
Breaches like Chipotle’s reiterate that multi-location restaurant security requires a new approach, beyond maintaining PCI compliance and implementing a managed firewall, which are absolute essentials. Unfortunately, many products and service providers simply do not have the ability to stop cybercriminals before they do real damage.
To achieve a high level of protection, Christly recommended implementing the following technologies as part of a comprehensive ‘toolbelt’:
- File integrity monitoring (to tell you when files have changed that weren’t supposed to change)
- Unified threat management appliances (used to integrate security features such as firewall, gateway antivirus and intrusion detection)
- Security information and event management (used to centrally collect, store, and analyze log data and other data from various systems to provide a single point of view from which to be alerted to potential issues)
- Next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems)
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba