The Silver Lining of Recent Data Breaches

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.chainstoreage.com/article/silver-lining-recent-data-breaches

Retailers have always experienced a tension between investing to grow and
investing to improve security. Not surprisingly, we’ve seen vulnerabilities
arise when marketing and sales initiatives have trumped less sexy
initiatives around security. In 2013, 61 million people had their personal
data stolen from Target. One year later, 56 million credit and debit card
numbers were exposed in Home Depot’s breach.

The good news is there’s reason to be hopeful. Recent developments in
retail technology mean that growth and security initiatives no longer need
to be mutually exclusive. You can have the best of both.

Resource Tradeoffs That Leave Retailers Vulnerable
Without a doubt, recent data breaches caused financial and reputational
damage to the retailers involved. But how did they happen, and what are the
common resource tradeoffs that make retail environments so vulnerable?

Here are some of the tradeoffs:

*Legacy Systems*
Most modern retailers are hamstrung by legacy hardware and software that
optimize for high reliability. These inflexible environments make it
difficult to deploy new security features. Necessary upgrades are often too
burdensome to implement, leaving massive holes for hackers.

*Open Networks*
Historically, many retailers created isolated networks for their POS
devices to keep payment data secure. However, evolving business needs —
surfacing local inventory online, providing in-store WiFi, or even
monitoring heating / cooling of POS (Target’s case) — require access to
store networks.

The push to quickly deliver these features often leaves the POS vulnerable.
Open networks coupled with modern malware frameworks (BlackPoS, ChewBacca
and BackOFF) enable cyber thieves to gain access and design attacks
specifically targeted at the POS.

Unencrypted Data: Even though modern PIN pads support point-to-point
encryption (P2PE), the challenge of making any change in a legacy
environment means that most retailers haven’t enabled encryption — payment
card data is still transmitted ‘in the clear’.

Further, because today’s PCI standards don’t require P2PE, many retailers
have a false sense of security that they are safe. In fact, without
encryption, open networks create an opportunity for a significant,
large-scale attack.

*What Is the Silver Lining?*
In light of recent breaches, security is finally getting the attention and
prioritization that it deserves. At the same time, developments in retail
technology not only address security concerns, but also create new
marketing opportunities. As a result, improving in-store security no longer
has to mean diverting resources away from other initiatives.

Technologies like P2PE, EMV (Europay, MasterCard and Visa) and mobile
payments provide the ingredients to secure in-store shopping, and modern
PIN pads have the capability to enable all of these security enhancements.

Also, large touch-screens on new PIN pads provide a chance to engage
customers and improve the in-store experience, creating a win-win for the
entire business. These elements combine to create more secure transactions
and high-touch customer engagement.

*Secure Cards / EMV*
EMV cards look like traditional cards, but have a microchip that make them
much harder to compromise and counterfeit.

In addition, EMV ensures a secure physical interaction between the card and
the reader. On Oct. 1, “Chip & Signature” became the standard for payment
in the U.S. followed by “Chip & PIN”. An EMV card contains PIN information
known only to the cardholder, enabling a special one-time-use security
transaction code or "cryptogram" that only works when the actual card is
present.

*Secure Data / P2PE*
But EMV only solves part of the problem. When any payment card is used upon
checkout, the information is sent in plaintext over interconnected networks
that can expose that data. The solution here? Point-to-point encryption
that secures cardholder data in transit — from the moment it enters a PIN
pad until it reaches the payment processor.

*Mobile Payments*
Mobile wallets like Apple Pay and Android Pay not only provide exciting new
customer experiences but were designed from the ground up to enhance
security with thumbprint authentication, card tokens and dynamic card data.
Another win-win.

*Onscreen Engagement*
Modern PIN pads offer a critical marketing touchpoint and unique
opportunity to engage with customers in an innovative, branded and
personalized way. The touch-screen displays incorporated into the latest
devices from Verifone and Ingenico allow for onscreen branded marketing,
seamless email capture, and a streamlined checkout experience.

As we all know, there’s no silver bullet in data security. Understanding
your unique vulnerabilities, and developing a strategy to address them, is
the only way to stay out of an attackers crosshairs — and out of the
headlines. Attackers are continuously trying to find new ways to infiltrate
retailer networks and steal from customers. However, you do have the power
to make your stores a significantly less attractive target by learning from
recent data breaches and taking a comprehensive approach to security.

This moment of transition and resource allocation presents an opportunity
for every retail organization — an opportunity not only to protect customer
data, but to holistically improve the in-store experience. As you deploy
modern PIN pads, strong cross-functional coordination can unlock the
potential of these devices.

Alignment across security, technology and marketing departments makes it
possible to deploy a solution that not only protects customers when they
transact, but engages them and deepens their connection to your brand.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!