POS systems are a hot target for data thieves. The complexity of payment systems makes it difficult to block all threats. Much like a game of Whack-A-Mole, by the time one weak spot is patched, hackers are already on to the next con.
As a payment service provider, you need a security solution that takes care of you and your merchants. With attention to fraud trends and some smart planning, that’s a goal you can achieve. Three top causes for POS data breaches are stolen credentials, insecure remote access, and merchant carelessness. Read on to find out how you can protect your merchants.
1. Stolen Credentials: Watch Where You Click
In 2017, 65% of retail breaches involved stolen credentials. Keeping login credentials secure is critically important, but it remains a weak spot. Despite publicity and educational efforts, people continue to fall for phishing emails. Last year, 7% of phishing email recipients opened a fraudulent attachment. While not all these incidents resulted in breaches, it still shows a lack of risk awareness. HR and accounting departments are particular targets for phishing emails, as these employees are accustomed to opening attachments in their normal line of work. Do your best to make your merchants aware of the risks of phishing.
2. Remote Access: Lock the Back Door
While remote product management is a great tool for all sorts of vendors, it can be dangerous in the wrong hands. Here’s a terrifying statistic: In 95% of breaches involving stolen credentials, hackers took their credentials and used vendor remote access software to gain entry to customer POS systems. In fact, the Target breach of 2013, involving 40 million accounts, was caused by this very situation. Hackers infiltrated through an HVAC company login, and found themselves in a virtual candy store, as Target’s network was set up without proper segmentation to keep payment data separate.
Let that sink in for a moment. Basically, if fraudsters can figure out a password to get into a vendor system, and that vendor uses remote access software to connect with a customer, the risk exists that they can slip into a customers’ network - but only if conditions are right (or in this case, if conditions are very wrong.) Sloppy network security, failure to set strong passwords, establish firewalls, or control access can lead to devastating results.
Falling prey to remote access hacks is entirely preventable. PCI standards were developed for a reason, and full compliance will protect your merchants from the very real threat of remote access breaches. As a PSP, if you use remote access tools to manage your merchant base, it’s crucial to make sure your own housekeeping is in order. Be sure to follow all PCI regulations to the letter. Never cut corners on network security. And make sure your merchants know to set the same expectation for all their vendors.
As an additional fail-safe, advise your merchants to limit vendor access on a need-to-know basis. In the payments industry, these controls can be built in, as POS remote access software can be fully integrated or semi-integrated. At CDE Solutions, we use a semi-integrated platform. With semi-integration, we can troubleshoot, push files and manage a merchant’s tablet, but we do not have access to payment data on the merchant’s terminal itself. This separation of functions, combined with adherence to all PCI data standards, keeps payment data secure.
If you provide fully-integrated solutions, the situation can be a little more complex. In this case, strict adherence to PA-DSS regulations, combined with a dynamic IT team to install, monitor and control network interactions, is the solution to pursue.
3. Merchant Carelessness: Pay Attention to Details
Carelessness is another preventable source for breaches. While you may provide your merchants with the most sophisticated processing tools, if they don’t use the technology, the terminals might as well be doorstops. Clothing chain Forever 21 is just now coming off the tail end of a major breach. Hackers sneaked in through network access, and then were able to harvest customer card data because - get this - many stores never turned the encryption on their POS devices. While Forever 21 is being tight-lipped about the scale of the breach, its seven month duration makes it clear that many thousands of consumer accounts were compromised.
With proper store education and a little IT oversight, breaches caused by carelessness can often be prevented. Basic security measures are common sense to those of us in payments, but they might not be to your merchants. Don’t presume that merchants know the standards they should maintain. As a payment service provider, consider it part of your duty to provide ongoing education and access to industry resources to help your merchants maintain secure business operations.
Plan for the Best, Prepare for the Worst
Just as it’s important to have a disaster response plan for incidents such as flood and fire, merchants should also prepare a breach response plan. When a breach happens, panic is generally the natural response, but it’s not the most effective one. By planning in advance, merchants can minimize the impact and damage of a breach.
Depending on the scope of a merchant’s business, breach plans can be quite complex and may include contracting with a breach response provider to account for all contingencies. If that’s out of your merchants’ reach, a simple, do-it-yourself plan is far better than nothing. A Google search will lead your merchants to several online resources and templates for breach response plans. You might consider this guide from Experian for a head start.
So that’s it for our “big picture” overview of large-scale breaches. Next month, we’ll cover some new individual fraud tactics your merchants may face. To minimize fraud losses, your merchants need a well-rounded awareness of risk from both scenarios.