In spite of continuous efforts to improve the security of credit card transactions by both the financial services and retail industries, we see nearly endless headlines about new card data breaches. Banks want to improve security to avoid incurring the expenses associated with fraudulent purchases and investigations efforts. Consumers want, to improve security so they don’t have to deal with the hassle of reporting and managing the repercussions of credit card fraud. Meanwhile, merchants want to protect their customers and make it easy for consumers to purchase goods, as they manage their tight cash flow and margins. Let’s review some efforts that merchants are undertaking to protect their sensitive data and hear about some new ways to better protect consumers.
Protection Efforts
October 2015 is the deadline for Europay, MasterCard, VISA (EMV) card implementation for all U.S. credit card merchants. The intention behind EMV is to reduce credit card fraud by using cards with an embedded chip that safely stores card data and, in some cases, requires the user to provide a personal identification numbers (PIN) to complete a transaction. Most of Europe has already been using EMV for years, and it has shown to reduce fraud for card present transactions. The implementation of EMV cards also has another less obvious objective: it shifts the liability for credit card fraud away from the banks and card issuers and moves more liability to merchants. EMV offers consumers more protection, but it also has wide ranging ramifications for merchants. Once the EMV data is on the point-of-sale (POS) system, merchants must protect it and this requires additional cyber security investments. EMV will also shift more credit card fraud to on-line transactions where the card is not present, increasing risks to any business that processes payments online. The newest revision of the Payment Card Data Security Standard (PCI DSS) 3.1 requires merchants that accept credit cards to use stronger encryption for data-in-transit. Unfortunately for merchants, this requirement is not explicit for critical POS data pathways, like POS machines to store server, POS application Payment Application to POI Device, Payment Application to Payment Gateway, leaving these portions of the payment processing network open to many forms of cyberattack. Most of the world’s credit card data passes through a POS system, making it a very critical cyber asset. POS systems are purpose built systems with the dedicated function to collect cardholder information and transmit it for payment. Therefore, if a POS system starts to transmit data to an unapproved source it should be reviewed for malicious activity. Many attackers pull the data and direct it to their desired repository – it could even be inside the approved network and later scraped to the outside. Although the function of POS devices sounds simple, there are a range of cyberattack vectors affecting these devices. As a matter of fact, POS malware is so prevalent that there are hundreds of variants are widely available on the black market, including:
- Malware (like Alina [Trackr], MalumPoS, vSkimmer [successor to Dexter], BlackPOS) targeting card data while it resides in the POS device
- Malware targeting card data while it is being transmitted to the POS processor
- Malware targeting card data on the POS server
From a technical point of view, this means data can be taken at several points in the payment process: while it is on the physical device, while it is traversing the network used to transmit the payment data, while it is being processeds by the payment processing software applications, and through vulnerabilities in the physical systems where the payment data resides. In addition to cybersecurity controls recognized by the industry as best practice (20 CSC, or PCI controls), merchants should also consider implementing specific POS protection mechanisms to combat malware targeting POS networks. This is especially true as retailers approach their busiest season. During the holiday season, many retailers “freeze” their networks and POS systems to assure high performance and reliability to support the dramatic increase in transaction volume. Unfortunately, cybercriminals know about network freezes and use it to their advantage. If they can find vulnerabilities to exploit in payment systems or networks, they will have the long window of the holiday shopping season to exfiltrate valuable credit card data as long as they can remain undetected during the cyberattack.
Delivering Out-Of-Box POS Protection
Nonetheless, cybersecurity is not one-size-fits-all and POS systems pose unique cybersecurity challenges. To this end, we at Tripwire have created a unique and exclusive set of POS threat detection and prevention rules. These rules detect specific POS attack behavior associated with the most virulent forms of POS malware, such as memory scraping, network sniffing or network changes associated with the exfiltration of payment data. Because POS malware is constantly mutating, detecting these attacks is based on specific behaviors and not simple file signatures like many anti-virus products. In addition to these specific POS rules, Tripwire Enterprise will also monitor POS systems for changes to investigate for malicious intent. Early detection of POS cyberattacks is one of the most difficult challenges facing retailers; the 2015 Verizon Data Breach Report notes that retail POS attacks typically take weeks to months to simply detect. The Tripwire Enterprise POS Threat Protection rules and policies make it possible to detect POS attacks as they occur, dramatically reducing the potential for massive damages and accelerating the time to recovery. The time between POS compromise and detection is crucial for merchants; the longer cyber attackers are resident on the payment network the greater the damage they can inflict. POS devices will continue to be a critical asset for merchants to protect. POS protection is core to the merchant’s bottom line. Cyber attackers will not be going away. Investigating new ways to protect these assets is a part of doing business as a merchant. Merchants, learn more about the Tripwire POS Threat Protection or check out the demonstration. Consumers, ask your merchant what kind of POS controls they have in place – after all, this is your credit card data at risk. Title image courtesy of ShutterStock
