Retailers Must Gird for Holiday Season PoS Attacks

With data breaches targeting retailers of all sizes accelerating in the past year, and the busy holiday shopping season coming up, EMV chip technology, tokenization and encryption security technologies are in the spotlight as a way to prevent and mitigate point-of-sale (PoS) attacks.

According to Verizon’s 2014 Data Breach Incident Report, 2013 can be characterized as “a year of transition from geopolitical attacks to large-scale attacks on payment card systems,” which is a trend that has only accelerated. During 2013, PoS intrusions accounted for 31 percent of the 148 retail breaches, with payment card skimming accounting for another six percent. POS intrusions accounted for 75 percent of the 137 accommodation sector breaches.

In the face of the threat, EMV, encryption and tokenization should be used in conjunction, and in a layered fashion, according to the Smart Card Alliance Payments Council.

“Today, payments industry stakeholders are looking at many security technologies to protect their businesses and customers,” said Randy Vanderhoof, executive director of the Smart Card Alliance, in a white paper. “The degree of layering will differ among payments stakeholders depending on their requirements, environment and budget.”

Essentially, these are three legs to a protective stool, starting with smart chip technology, which improves the security of a payment transaction by providing cryptographic card authentication, and thus helps protect against the acceptance of counterfeit cards. The EMV specification also offers cardholder verification and several means of transaction authentication that help safely authorize transactions.

It should be noted that the US has started to migrate to EMV chip technology. American Express, Discover, MasterCard and Visa have all announced plans for moving to an EMV-based payments infrastructure, including offering a series of incentives and policy changes for card issuers and merchants, with a target date of October 2015 to complete implementation of EMV chip cards, terminals and processing systems. This is also the date for a payment liability shift, at which point the responsibility for fraud resulting from a card-present payment transaction will shift to the party using the least secure technology—essentially incentivizing merchants to get on board.

Meanwhile, encryption, including end-to-end encryption (E2EE) or point-to-point encryption (P2PE), can immediately encrypt card data at time of entry—at card swipe, key entry, tap or insertion—so that no one else can read it and use the card data for unauthorized transactions.

This is especially crucial considering that “today’s merchants want to transact with customers across a wide range of shopping channels that include traditional PoS, mobile, online, telephone and others,” the Alliance noted. “To accomplish this, merchants need to accept payments through tablets, smartphones, kiosks, and self-service terminals. Many of these platforms are off-the-shelf consumer devices and are susceptible to malware and crimeware. Without the means of reducing the risk of compromise, use of these platforms is risky.”

And finally, tokenization replaces card data with surrogate values that are unusable by outsiders. These tokens have no value outside of a specific merchant or acceptance channel. There is some movement on this front; tokenization standards are being developed and published by a number of industry organizations, the Alliance explained, with commercial solutions starting to use those specifications to provide tokenization services.

“Some standardization efforts are focused on card-present merchants to remove cardholder data from the business environment, while others are focused on e-commerce and mobile transactions,” it said.

Applying these three technologies will vary from business to business, according to the payments stakeholder’s individual risk, regulations, cost and anticipated needs.

As the Alliance explained, “A low-value-ticket card-present merchant may have very few chargebacks and may not be worried about counterfeit cards. The merchant will still have PCI and data-in-transit concerns, so their investment may focus on the encryption of data in transit and at rest.”

However, “A high-value-ticket card-present merchant may be most concerned about counterfeit cards. The investment focus would be on EMV first and encryption of data in their network.”

What’s Hot on Infosecurity Magazine?