Merchant Link SecurityCents

For any business – especially those involved in storing, processing or transmitting payment data – information is one of its most important assets. Protecting this information is vital for maintaining customer trust and brand reputation. Beyond having the right security systems, technologies and procedures in place, business owners need to make sure that each and every employee is aware of the role that they play in protecting that important asset.

At Merchant Link, we recently wrapped up our annual Security Awareness Week. Guided by our Learning and Development Team, employees participated in educational trainings and activities that reinforced company security policies and provide information on the latest security threats, challenges and trends. This week on the blog, we’ll share some of the key tips and information we learned to benefit our readers.

Who are criminals targeting?
In March, we highlighted key findings of the 2012 Verizon Data Breach Incident Report.  As in years past, hospitality, retail and financial sectors topped the list.  Criminals tend to go where there’s money to be made and these industries have a high ratio of credit card transactions.  Within these industries,  a whopping 67% of breaches occurred in smaller organizations – level 3 & 4 merchants – that typically don’t have the staff or resources to employ full time security departments.

How are attackers gaining access?
It is important to remember that most data thieves are professional criminals deliberately trying to steal information they can turn into cash.  It makes sense that they would target the “low hanging fruit”.  The Verizon report shows a substantial increase in the number of breaches directly attributed to non-compliant smaller merchants and organizations.  Statistics clearly show that targeted companies have developed a complacency or even ambivalence towards security.  Whether large or small there are a variety of ways thieves can attack your business.

Stolen login credentials are the most common access point.  These credentials are often obtained through social engineering.  Social engineering employs many methods designed to manipulate a person into providing sensitive information that can be used to access personal data, plant a virus or otherwise gain access to your network.  Almost half (46%) of stolen credentials were obtained by telephone and 37% were obtained in person-to-person encounters, according to the Verizon report. 

Accommodation/Food Service providers should also be aware that POS terminals have the highest percentage of user device compromises (35%).  Methods range from installing devices to capturing cardholder data from magnetic stripes to duplicating manager cards or installing malware applications to track keystrokes.  Merchants should ensure their POS system is listed on the PCI DSS website of validated payment applications and approved PIN security devices.

One of the most surprising things revealed in the data breach studies is that it comes down to basic common sense, which as it turns out is not all that common.  Breach studies increasingly show signs that basic security practices are not being exercised. It is similar to leaving your home or your car unlocked and wondering why you had a break in.  Business owners who do not implement basic common sense security practices simply invite an attack and compromise.

What can you do to protect your business and customers?
The good news is there are some simple, basic steps you can implement that will have a big impact on your overall security risk.

• Implement a firewall on remote access services.
• Change default credentials of point-of-sale (POS) systems and other Internet-facing devices.
• If a third party vendor is handling the two items above, make sure they’ve actually completed these tasks.
• Make sure your POS is a PCI DSS compliant application.
• Eliminate PAN (Primary Account Number) data on-site.

Still not sure how to proceed?  Partner with a payment security expert who can offer you guidance and support on an implementation strategy that makes sense for your business. 

Finally, ask yourself this question…
The impact of a data breach to any business can be very serious.  In addition to fines and legal fees, you may completely lose the ability to process credit cards.  Consider how much time and money you have available for security awareness training and PCI compliance and ask yourself “What is my company’s reputation worth?”  Would you shop at a store or use a bank that allowed your credit card number to be stolen?

The Verizon RISK team has published the highly anticipated 2012 Data Breach Investigations Report.  After seeing steady declines for the past two years, the report finds that breaches skyrocketed in 2011, boasting the second-highest data loss total since the Verizon team started keeping track in 2004. While mainline cybercriminals continue to target monetarily valuable data, 2011 saw a re-invigoration of online activism. “Hactivism” is targeted towards larger organizations worldwide with the intent to damage the brand and embarrass the organization. In addition to the significant increase in number of attacks, the report shows organizations required to be PCI DSS compliant continue to struggle. According to the report 96% of breach victims were not compliant as of their last assessment (up 7% from last year).

Most Afflicted Industry
The report found that once again, the most afflicted industry was Accommodation/Food Service (Restaurants 95%, Hotel 5%). The report found that nearly three-quarters of automated opportunistic attacks hit the Retail/Trade or Accommodation/Food Service industries. Even though the amount of data per business is small, these “industrialized” attacks are carried out against large numbers in a surprisingly short timeframe encountering almost no resistance.  Many of these are small to midsize level 4 merchants who are failing in assessing and achieving PCI DSS compliance.

Most Used Techniques
External agents continue to be responsible for the largest proportion of breaches in 2011 (98%). The report shows the most common external breach techniques utilize some combination of hacking and malware (61%). Linked to almost all compromised records is circumventing authentication using stolen or guessed credentials (84% of records).

While internal employee breaches fell again this year to only 4% of total incidents, there is an interesting correlation to the food service industry. Most affected by internal employee breaches were smaller businesses and independent local franchisees of larger brands. The highest percentage of internal incidents belonged to money handlers such as the Cashier/Teller/Waiter category (65%) and the Manager/Supervisor category (15%).

Most Compromised Devices
With the Accommodation/Food Service industry continues to be the most targeted, it is not surprising that the highest percentage of user device compromises consist of POS Terminals (35%), Desktops (18%) and ATMS (8%). The report recommends training staff to detect signs of device tampering and to look for anti-tampering technology in POS and PIN devices.

Conclusions
Mitigating data breach threats can range from simple solutions to costly and complex systems. The report shows overwhelmingly that implementing a few basic safeguards has a big impact for small and mid-size companies that make up a large portion of the Accommodation/Food Service sector. These companies should look to:

• Implement a firewall on remote access services
• Change default credentials of POS systems and other Internet-facing devices
• Make sure your POS is a PCI DSS compliant application
• Eliminate unnecessary data on site

To assist in eliminating data on site, consider combining tokenization and point-to-point encryption to protect both stored data and data in-flight. Tokenization eliminates storage of actual cardholder data, while point-to-point encryption protects data in-flight from the point of interaction and as it travels through the merchant’s IT environment. If you get rid of the data, you get rid of the risk.

The 2012 Multi-Unit Restaurant Technology Conference (MURTEC) show starts today, otherwise known as the “The Gold Standard Restaurant Technology Event,” bringing together more than 225 restaurant technology, finance and operations professionals for three days of peer-to-peer exchange of ideas and best practices. Merchant Link will be there and reporting back on all the tech talk and trends.

One of the many things people will be buzzing about is Hospitality Technology’s 2012 Restaurant Technology Study. Among this year’s results, in the area of PCI compliance/security, restaurant operators are moving away from the belief that:

• PCI compliance is the responsibility of the vendor (48% agreed in 2011, 38% agreed in 2012).
• PCI compliance guarantees there will be no breach (22.8% agreed in 2011, 13.8% agreed in 2012).

These trends indicate that the message about PCI as best practice, not a guarantee – is finally getting through, and that businesses are taking greater ownership when it comes to compliance.

In our own business, we see evidence of these trends, as more and more merchants are asking us to help them get rid of sensitive cardholder data on their networks altogether. Restaurant chains like Silver Diner, are taking a layered approach to prevent a data breach. Using tokenization and point-to-point encryption, Silver Diner not only enhanced their security, they were able to achieve significant reductions in PCI scope and costs. Check out the case study we just posted to learn more.

And let us know your thoughts on compliance by leaving a comment below.

The cost of a data breach for retailers and merchants is rising every day, both in terms of dollars and brand reputation, taking into account costs for internal investigation, notification/crisis management and response. And soon, there may be another cost being levied on merchants from a different source: the government.

According to a recent article in the Financial Times, the European Union is considering a stiff fine for retailers if they fail to secure sensitive customer data. The size of the fine amounts to more than just a simple slap on the wrist. In fact, retailers breaching European Union privacy rules could be on the hook to pay a fine up to 5 percent of their annual revenue.

Although these rules are still in their infancy and, if passed, wouldn’t go into effect for as long as two years, they should still be a frightening proposition for all retailers. And it’s not just European retailers that should be concerned since the rules are expected to also apply to European subsidiaries of foreign companies.  It could also be an indicator of what may happen in the U.S.

If you think the rules may go without being enforced, you should think again. StorefrontBacktalk’s Evan Schuman wrote about this issue in a recent column, and speculated that the EU is likely to strictly enforce this legislation since they’re starved for cash and these fines could be a good way to raise money. Also, unlike credit card companies and other stakeholders that threaten to punish retailers, the government doesn’t necessarily have anything to lose from fining a retailer.

For example, Visa would probably think twice about punishing or terminating its relationship with Wal-Mart simply because the retail giant wasn’t on the cutting edge of data security. The loss of revenue from credit card transaction fees would simply be too great.

Although these rules could be years in the making, or never even see the light of day, they’re evidence that governments are starting to crack down on companies that aren’t making data security a priority. With 2011 being a banner year for cyber attacks and data theft, and the potential for the cost of a breach to continue to increase, the time is now for retailers to take a more serious look at their security posture.

With tokenization and encryption solutions available to retailers via the cloud, there is no reason why any company should not be PCI compliant and protected from data breaches. The costs are too high, both to the company’s coffers and its reputation.

Don’t let your company wait until it has to part with 5 percent of its annual revenue before you start to reevaluate how you store and protect payment card data.

By Michael Ryan

A little over one year ago, I authored a blog post in response to a new trend that was impacting retailers: skimming of credit card information in-flight directly from payment terminals in retail locations. It was around this time last year that Aldi, a discount grocer which operates 1,100 stores in 31 states, announced that terminals in 11 stores had been tampered with and were funneling credit card and PIN data to cyber criminals.

Despite the situation at Aldi, raising awareness of this problem, it’s still an issue for retailers one year later.

According to a recent article, Save Mart, a chain of grocery stores based out of Modesto, Ca., issued a consumer advisory warning customers that 20 of its locations were found to have card readers that were compromised. It wasn’t clear whether the devices were replaced or simply tampered with. Regardless, there was the potential for sensitive customer information to be stolen.

In today’s retail environment, where getting customers in and out of the store quickly with their purchases is paramount, many retail chains have installed self-checkout counters. It was the credit readers at the self-checkout counters that Save Mart had compromised, which raises red flags for other retailers utilizing similar technology.

With data thieves getting increasing bold and physically altering credit card readers, it’s becoming increasing important that retailers remain vigilant and alert. This is especially true right now during the busy holiday shopping season.

As we discussed in a recent post, retailers that have even suspected that data thieves have compromised sensitive financial information about customers have seen a significant impact on their wallets. From public relations campaigns to clear up negative press, to credit monitoring services for customers, companies are seeing the price tag of a data breach continue to increase.

Despite high profile breaches like the ones at Aldi and Michaels, POS systems and card readers at retail locations remain a significant security vulnerability for retail chains. With the cost of a breach skyrocketing and the sheer masses of holiday shoppers flooding retail outlets, now is the time to ensure that businesses do everything they can to protect themselves and their customers.

By Michael Ryan

While many of us were sitting on the couch, fighting our food-induced comas during the Thanksgiving holiday, merchants were scrambling to prepare for an onslaught of customers that were eager to take advantage of Black Friday deals.

Black Friday, which seems to start earlier and earlier each year, not only marks the busiest time of the year for merchants, but also predicts shopping trends, consumer confidence and the state of the economy for the coming year.

And this year’s Black Friday was in no way a disappointment. Shoppers showed up in droves and spent a record amount of money over the weekend. Black Friday spending this year was up 16% from the $45 billion consumers spent last year, according to a recently released survey by the National Retail Federation.

And that sales momentum continued into Cyber Monday, as many shoppers took to retailer’s sites looking for the best deals. Eight in ten retailers were prepared, offering special promotions to please these online shoppers.

Even more interesting is the number of shoppers that relied on their smartphones and other mobile devices to shop online. Compared to last year, the number of mobile users shopping online doubled.

And we don’t doubt that all these numbers are real. We saw it in our own operations. For example, our retail transaction volume for one of our large retail chain clients was a whopping 44% higher on Black Friday this year as compared to last year, and 38% higher on Cyber Monday.

In light of the retailers’ success, both in stores and online, it is importance to stress that consumer confidence drives continued sales and brand trust. During the busiest shopping season of the year, retailers cannot afford to suffer from a data breach and leaked consumer credit card information.

Now, more than ever, retailers must be diligent, which is why we’ve developed these three simple tips for merchant to keep in mind:

• Know the network. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
• If it is not needed, remove it. Many retailers keep cardholder data on the system even when it is not necessary.  Nothing is more exciting to potential attackers than hitting the jackpot of payment information.
• It’s not just technology, its people and processes. Merchants must educate and train staff to understand network security issues.  Yes, the IT department must be aware, but it is just as important for cashiers to understand the risks and be trained to spot suspicious activity.

Retailers have a lot on their plate as they strive to hit their numbers during this holiday shopping season, but security shouldn’t be a leftover thought. The cost of a breach can not only cost retailers millions of dollars, but will hurt consumers’ confidence and trust in the retailer’s brand. With such a significant impact, can the retail industry  afford not to unwrap some extra security this holiday season?

We have always highlighted how damage experienced after a data breach can have  lasting negative effects on brand equity and reputation.  A recent survey of nearly 850 executives, conducted by the Ponemon Institute, reinforced this by reporting that the average time it takes to restore an organization’s reputation after a breach is one year.

Following is a podcast with Dr. Larry Ponemon who discusses this study and what companies can do to best protect their reputations after a breach from the ITAC blog.

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

By Beth McGarrity

There is a new bill in the U.S. Senate that is aimed at protecting a citizen’s privacy and information when a security breach occurs.  In the last few weeks, the Personal Data Protection and Breach Accountability Act of 2011 was introduced, with sponsors of the bill, saying that many of the recent security breaches have been preventable.

But the National Retail Federation has another view.  David French of NRF said that the bill is far too broad and instead of achieving protection of consumer information, the bill would have a negative impact, resulting in “notice fatigue.”

Now, this is interesting, because NRF is an avid supporter of protecting notification when identity theft occurs, yet feels that standards must be met before a notification is sent out.  If consumers are receiving notices for every incident, regardless of severity, they will eventually begin to ignore the notification and potentially not take the appropriate steps when the risk level is high.

We are all for notification to consumers when there is a risk involved and agree that notification fatigue could be an issue.  But the real issue that we believe needs to be addressed is how the sensitive information is being stored on a merchant’s system.

Ultimately, this becomes a security issue and storing personal identifiable information about consumers on a network that doesn’t have the proper security controls, is a major risk.  If you are going to take the risk, you must take an aggressive approach to security and you must test and monitor your approach regularly.

An incident may still occur, but you are less likely to have to notify your customers of a security incident if you are thinking about security as an integrated process within your business.

By Beth McGarrity

In the brick-and-mortar world, merchants run the risk of long-term reputational damage when they experience a credit card breach.  For online merchants, data breaches can cause even more damage — as credit and debit cards are typically the only means for doing transactions.  Clearly, protecting one’s online brand is of utmost importance.

According to a recent report by Visa’s CyberSource unit and Trustwave, nearly 70 percent of online merchants said they have tightened credit card data security in order to protect their brands.  This was a larger motivator than the desire to avoid fines for non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).

In addition, the report also highlights how online merchants are also concerned about insider threats.   Not a huge surprise.  In fact, our readers may recall our post about nefarious employees stealing customer data via USB drives.  Although this post was more for brick-and-mortar merchants, the reality is that bad employees lurk in both the offline and online worlds.

So what are online merchants doing to actually tighten their credit card security?

They are moving credit card data from their networks to third-party vendors as a way of reducing security risks, data storage and compliance costs, according to the study.

So it seems that online merchants are taking a page from what is happening in the brick-and-mortar world:  they are completely removing the data from their systems.  And as in traditional environments, tokenization and encryption are two viable solutions to remove the data.

No matter where products are sold – at a retail outlet or on a website – protecting one’s brand is paramount.