Despite cybersecurity and payment card protection taking center stage in the media over the last 12 months, there are still plenty of myths, misguided beliefs and poor practices dominating discussions. Likely caused by fear and anxiety and nurtured by a lack of understanding when it comes to technology, corporate executives take any cybersecurity information as scripture and use incorrect statements to fuel data security procedures, policies and solution procurements.
This is not only a problem for customers whose data is on the line, but merchants and retailers are at risk of paying massive fines and fees if their payment card protection measures fail to keep personal, payment and other sensitive information out of the hands of fraudsters and cybercriminals. These businesses, therefore, need a lesson in data security, and first things first, merchants should uncover the facts about security, payment card data and cybercrime.
Here are five facts that all merchants and retailers should understand before they start developing cybersecurity protocols, procuring payment processing solutions and deploying data protection tools.
1. EMV won't stop fraudulent activities
Championed as the best way to prevent in-person fraud, Europay, MasterCard and Visa introduced chip-based payment cards to the world – over a decade ago. By Oct. 1, U.S. retailers were faced with either complying with EMV standards or assuming liability of any fraudulent transactions. However, no business should confuse EMV cards with data security, especially in regard to fraud.
"Chip-based payment cards will not put an end to card-not-present fraud."
Computerworld reported on a conference call held by the National Retail Federation in which Mallory Duncan, general counsel for the organization, asserted that chip-based payment cards will not put an end to card-not-present fraud. Because retailers in the U.S. must only collect a signature – and not a PIN – when consumers use these new credit and debit cards, if fraudsters find an EMV-supported card, they can buy products and services online, over the phone or even in stores.
The best option for U.S. merchants and retailers is to find payment processing and security solutions that leverage additional layers of fraud protection, and this solution makes sense for businesses in other countries as well.
2. Hackers will get in if they haven't already
There is no foolproof method for completely securing corporate IT systems. Whether it's a staff member leaving a password sticky noted to his or her laptop, an employee falling victim to phishing or simply a hacker circumventing a firewall, there are hundreds of ways inside enterprise networks. Add in the prevalence of mobility and a lack of mobile security, and the number of entry points quadruples. Simply put, hackers are persistent and have the ability to gain access to any Internet-connected network.
The only solution for merchants and retailers is to protect payment card data itself through encryption or tokenization. After all, fortifying perimeters is a PCI requirement, but when businesses need to secure is the information within those perimeter walls, it stands to reason that the more defensive measures, the better.
3. Retailers with legacy systems are primary targets
While EMV isn't the end-all and be-all of payment card security, the Oct. 1 deadline provides merchants with a good reason to upgrade point-of-sale and payment processing systems. This is critical, as hackers tend to target businesses with legacy solutions, Randy Vanderhoof, director of the EMV Migration Forum, told the Boston Herald. After all, sophisticated cyberthreats call for even better data protection tools.
Regardless of whether a business wants to support EMV or not, they should turn to a cutting-edge payment processing and security solution to avoid the inherent security issues present within legacy systems. With new tools that support cybersecurity capabilities such as tokenization, merchants will have better defenses than the typical retailer with an old system that doesn't disguise data. That will be apparent to hackers as soon as they infiltrate a corporate network.
4. Businesses are only as safe as their weakest third-party partner
If cybercriminals gain access to a third party's networks, they can easily make their way to partners' systems. Take the Target data breach, for example. KrebsOnSecurity recently found evidence that cybersecurity consultants were able to compromise one machine on Target's network, allowing them to access cash registers in completely different locations. Meanwhile, the source identified the original cause of the 2013 breach: An HVAC repair firm working with the brand was compromised thanks to malware, and as a result, the cybercriminals connected to Target's network.
Of course, merchants and retailers cannot deploy new payment card protection tools on their partners' networks. What they can do is focus on securing payment card data by obscuring its true form with encryption or tokenization. Additionally, it can't hurt to put that data on a segmented networks, preventing a complete network compromise.
5. Cybercriminals want more than just payment card numbers
Merchants and retailers know the importance of payment card data protection – the Payment Card Industry makes their standards very clear – but that isn't the only information that businesses must secure. Ryan Wilk, director of customer success at NuData Security, told Credit.com that "credit card fraud is passé" because hackers typically need more than just card numbers to commit fraudulent transactions. Now, cybercriminals look for Social Security numbers, addresses and bank account information.
In brief, merchants and retailers need to protect all information that is typically stored in SAP environments and other IT systems.