Download our in-depth report: The Ultimate Guide to IT Security Vendors
It's a tough time to be a retailer. Massive point-of-sale (POS) breaches continue to make headlines on a regular basis, and they can have a significant impact on consumers' trust in a company and its brand. Just recently, the Hudson's Bay Company (HBC), owner of retailers Saks Fifth Avenue, Saks OFF 5th and Lord & Taylor, acknowledged that an undisclosed number of customers' payment card data had been stolen, and HBC shares fell more than 6 percent in response to the news.
According to security firm Gemini Advisory, the Fin7 hacker group stole data on more than five million credit and debit cards that had been used at HBC credit card terminals beginning in May 2017. "Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised," the firm wrote in a blog post examining the breach.
Don Duncan, security engineer at NuData Security, told eSecurity Planet by email that POS systems are often dangerously easy to penetrate with malware. "Malicious software like PoSeidon, Alina, vSkimmer, Dexter and FYSNA are uploaded to gather credit card information to send it back to the cybercriminal's server," he said. "Another kind of point-of-sale malware discovered by researchers at Forcepoint hides behind DNS requests to steal credit card data, which makes it a little more stealthy and harder to detect."
And while some advanced threats target zero day vulnerabilities, far more simply take advantage of unpatched systems. Many forms of POS malware are designed to exploit known vulnerabilities that have had patches available for months, Thycotic chief security scientist Joseph Carson said by email.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"This is in addition to allowing users to use POS systems for common end user tasks such as checking email or surfing the Web," Carson said. "This type of poor security practice should be avoided at all costs, as it exposes the company to easily become a victim of cybercrime."
And just protecting your perimeter won't keep you safe. "It is imperative that companies implement a multi-layered approach to security, incorporating artificial intelligence, machine learning and device intelligence to protect customer data from being compromised in the event an initial breach occurs," Simility co-founder and CTO Kedar Samant said.
PCI DSS compliance
The Payment Card Industry Data Security Standard (PCI DSS), one of many compliance regulations affecting companies in just about every industry, covers basic requirements for point-of-sale endpoint security, including the use of a firewall, changing passwords from vendor-supplied defaults, protection of stored data, encrypted transmission of sensitive data, use of antivirus software, restriction of physical access to payment card data, and more.
Multi-factor authentication is also required for remote access. "Having multiple factors to help ensure only authorized personnel are able to access appropriate resources goes a long way toward securing environments, but only if taken as one of many security layers in depth," Aaron Reynolds, vice president for payments advisory and assessments at Coalfire, said by email.
And that speaks to a larger point regarding PCI compliance: Simply checking the boxes won't ensure effective protection of every situation. "The PCI SSC standards have continually improved and strive to keep up with the changing threat landscape, but it is always incumbent on the merchant to understand the risks relevant to their environment and implement appropriate security measures," Reynolds said.
Still, PCI can be a great start – Reynolds said he hasn't seen a single major data breach where post-breach analysis didn't show a lack of sufficient security controls that were specifically addressed by PCI DSS.
Three steps to an ideal POS security solution
Perhaps the three most important factors in protecting cardholder data, Reynolds said, are tokenization, encryption, and fraud prevention – which means an ideal security solution, particularly for SMBs, would include tokenization, point-to-point encryption (P2PE) and EMV. "The three together are still not a security 'silver bullet,' but they go a very long way toward the ability for a merchant to maintain a secure and maintainable environment," he said.
Ruston Miles, founder and chief strategy officer at Bluefin Payment Systems, said smaller retailers in particular have to understand that EMV alone is not enough – it can reduce the successful use of fraudulent cards at the point of sale, but it won't prevent the POS device from leaking data as a result of malware or other cyber threats. "Unfortunately, this has been the case in many recent high-profile breaches where EMV/chip card terminals were in use," he said.
Add P2PE and tokenization to the mix, Miles said, and you're in much better shape. "Tokenization replaces the card data with a token or reference number so that if a hacker gains entry to the POS system, all they get is useless token numbers that they cannot use to commit fraud or sell on the dark Web," he said.
Tokenization and P2PE, Miles said, are the one-two punch of an approach to card data security called data devaluation. "The idea is that, if a card is encrypted while it's moving through the POS and tokenized if it is stored on the POS, then it's useless to hackers and protects the retailers from the potentially devastating effects of a breach," he said.
Security training for retail employees
Because methods of attack are constantly evolving, it's critical that your cyber security teams are sufficiently funded, with adequate staffing and training, Imperva CTO Terry Ray said by email. Cyber security is often underfunded until a company is breached, at which point some additional funding will be allocated – but security teams remain generally small and stretched thin. Higher budgets, better staffing and ongoing training are key.
And that's not just true for your security team. It's critical to engage your employees in improving security, Coalfire's Reynolds said. "Employees have to maintain secure access, passwords, and several other security best practices to prevent breaches into their systems," he said. "Annual or regularly occurring training is key to keeping employees knowledgeable and up to date in a dynamically changing cyber environment."