In 2015, merchants and retailers should have resilient data protection solutions that secure payment card information from modern threats. After all, cybercrime and fraud are not new to these sectors, and these businesses have had plenty of time to prepare their corporate systems and point-of-sale devices for the influx of malware, phishing attempts and other cyberthreats. Unfortunately, merchants and retailers still lack the cybersecurity measures required to ensure payment card data protection around the clock.
According to PCMag, Brian Krebs, cybersecurity expert and researcher, explained why these companies are not secure enough in a presentation at a Gartner Symposium: There is a disconnect between how merchants and retailers perceive cyberthreats and the actual nature of modern cybercrime.
Krebs explained that in the last couple of years, attacks against POS systems have evolved, and there is now a huge ecosystem built around exploiting transactional and payment processing solutions and selling that data on the Darknet. In essence, the current state of cybercrime and data protection appears less gloomy than it actually is, and EMV adoption only serves to obscure the reality of the situation since these new chip-based payment cards won't put an end to card-not-present fraud and identity theft.
"The biggest problem for retailers is POS malware."
Breach after breach
The biggest problem for retailers, according to Krebs, is POS malware. This should not come as a surprise to any merchants or retailers, especially since this industry continues to experience data breaches caused by compromised POS devices and other retail technologies.
In fact, three KrebsOnSecurity blog posts in a two-week span reported on different POS intrusions that were discovered in late September, early October. For one, the source found the truth behind the Target data breach, confirming many expert cybersecurity opinions that hackers were able to compromise a third-party partner's network. From there, the cybercriminals responsible for the breach jumped from system to system, stealing data from POS machines and insecure, unencrypted databases.
Then, KrebsOnSecurity reported on the Hilton Hotel cyberincident: Hackers infiltrated the POS systems of stores and restaurants owned by the hotel chain. The organization's response only adds to the confusion, as the Hilton Hotel group stated that payment card data theft and fraud are just facets of conducting business in 2015.
Likewise, the Trump Hotel Collection released a statement reporting that it had been compromised for just over a year before identifying the intrusion. The message was eerily similar to Hilton Hotel's.
"As is the case with many other companies, some hotel properties managed by the Trump Hotel Collection may have been the victim of a data security incident," the Trump Hotel Collection's Incident FAQ read.
POS malware is the retail industry bully
Organizations seem to understand that data breaches are inevitable, but at the same time, they fail to properly defend against POS malware, which is only becoming more sophisticated as 2015 passes. Take Trojan.MWZLesson, for example. It is much more threatening than the typical POS trojan from a decade ago.
According to Doctor Web security researchers, Trojan.MWZLesson not only checks POS device's random access memory for payment card information, but it automatically sends that data to the hacker responsible. If that isn't enough to convince merchants to encrypt all of the payment card information in their possession, then perhaps this will: Trojan.MWZLesson can steal requests from Web browsers, download and run other files, perform updates and affect computers connected to POS systems, meaning that SAP environments would be at risk.
Solutions to sophisticated cyberthreats
Of course, there are many more examples of recently discovered dangerous POS malware, but the point is not that there are too many to defend against. In fact, it is quite the contrary. There are numerous steps that merchants and retailers can take to protect payment card information from sophisticated cyberthreats.
Krebs explained that network segmentation is critical, according to PCMag. POS systems should be segregated from other in-store retail technologies, mission-critical applications and databases that contain payment card data. After all, the No. 1 attack vector involves moving across networks, so this will defend against that.
Furthermore, since the current approach to payment card data protection relies on hardening network perimeters and fortifying devices rather than securing the information itself, merchants and retailers should start to deploy encryption and tokenization solutions should be a core component of retail industry security. Not only will this help businesses adhere more closely to Payment Card Industry Data Security Standards, but this will ensure that even when breaches occur, data will remain secure and unreadable by cybercriminals.
Merchants and retailers certainly have more than just POS malware to worry about, but many of the best payment card data protective measures prevent multiple attack vectors at once. At the end of the day, securing information over systems will lead to cybersecurity success.