Is seven seconds worth having your data stolen, some retailers think it is

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.decryptedtech.com/news/is-seven-seconds-worth-having-your-data-stolen-some-retailers-think-it-is

There is a report that over the holidays several retailers disabled the EMV
(Chip and Pin) functionality of their card readers. The reason for this?
They did not want to deal with the extra time it takes for a transaction.
With a standard card swipe (mag-swipe) you are ready to put in your pin and
pay in about three seconds. With EMV this is extended to roughly 10
seconds. Of course when you add in all of the other items that retailers
throw in (are you are rewards member?) your checkout time can be lengthened
quite a bit.

Instead of working with the customers or removing the ads and crap
retailers were choosing to simply turn off the EMV security. Of course that
is saying that the outlet you are shopping at even has EMV turned on to
begin with. Since EMV became a requirement many companies are hedging their
bets in the hopes that they do not have a breach before they finally chose
to put EMV in place. This is a dangerous game to play with customers data
considering the changes in the laws. Now the outlet is directly liable for
the loss and is open to legal action (including class action) in the event
of data theft.

This type of behavior is, sadly, not uncommon at all. It is all about
trying to put off paying for the devices, services and other items that
allow the system to function. Any major change to a point of sale system is
a big hit financially and the EMV security restrictions (including point to
point encryption) are pretty big. Even handling the card readers now
requires access control and secured storage for the devices. To make things
worse, not every PoS developer is ready or fully supports EMV. Far too many
of them have not even begun to make the changes needed. They bank on the
fact that their customers will not leave them due to the high cost of
replacing a PoS system.

It is an ugly pattern that we are seeing more and more of. Consumer data is
not important in the face of profits and cash flow. Companies are expecting
their breach insurance and the card issuers to deal with the problem so
they do not have to. The concept hat not sunk in that breach insurance will
not cover you if you knowingly fail to meet PCI standards. Meanwhile the
card issuers are shifting responsibility to the retailers making them
directly liable…. In the end the only people that are really affected are
the consumers that lose money and time when their data is stolen.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!