Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ Network Security ’

Immediately following the New Year, you probably noticed a few changes.  The gym parking lot was jammed packed.  Every other commercial on TV was for some kind of home workout tape or weight loss solution. Nearly every store was highlighting the “new you.”

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

We’ve all heard of flash mobs, or groups of people that meet in a particular place and do something fun, creative or unique, such as break out in dance or song. These flash mobs are an interesting phenomenon that have even broken into the mainstream, being parodied in advertisements and featured in TV shows.

But have you heard of flash attacks? They’re not nearly as innocuous and fun as flash mobs, and they can directly result in loss of money and damage to retailers’ brand reputation.

Flash attacks are what Gartner analyst, Avivah Litan, calls credit card skimming schemes, something we’ve discussed previously on the blog.  Essentially, credit card skimming involves individuals either tampering with, or otherwise replacing, credit card readers on point-of-sale (POS) devices within retail establishments. These tampered or replaced devices then compromise the credit card data of the cards that pass through them.

As described by Avivah in her latest blog post, these credit card skimming schemes, or flash attacks, are extremely sophisticated. More than simple acts of vandalism by random data thieves, these are highly-targeted, well-planned attacks by organized groups.

So how do these criminal operations work? Group ringleaders hire individuals to install skimmers into the POS devices or replace the equipment. From there, counterfeiters take the data and create cards, complete with pin numbers taped right on.

More individuals are recruited to then hit up ATM machines and other retail establishments where they can get cash or products that are easily resold (electronics, etc.). The attacks occur quickly and can take place in the country where the theft occurred or in other countries. The individuals withdrawing money or making purchases are instructed to pace themselves and otherwise avoid fraud detection systems.

Avivah’s blog post is an eye-opener and really highlights just how dubious and organized the people running these credit card skimming scams truly are. It’s frightening just how calculated, educated and efficient these attacks can be.

With the National Retail Federation (NRF) annual convention coming up next month, data theft and security issues facing retailers and merchants will be taking center stage. It’s important that retailers educate themselves about the attacks that are occurring, and familiarize themselves with the technologies and solutions available to help eliminate their risk. As the cost of a data breach continues to rise, no retailer can afford to be caught by surprise.

By Michael Ryan

A little over one year ago, I authored a blog post in response to a new trend that was impacting retailers: skimming of credit card information in-flight directly from payment terminals in retail locations. It was around this time last year that Aldi, a discount grocer which operates 1,100 stores in 31 states, announced that terminals in 11 stores had been tampered with and were funneling credit card and PIN data to cyber criminals.

Despite the situation at Aldi, raising awareness of this problem, it’s still an issue for retailers one year later.

According to a recent article, Save Mart, a chain of grocery stores based out of Modesto, Ca., issued a consumer advisory warning customers that 20 of its locations were found to have card readers that were compromised. It wasn’t clear whether the devices were replaced or simply tampered with. Regardless, there was the potential for sensitive customer information to be stolen.

In today’s retail environment, where getting customers in and out of the store quickly with their purchases is paramount, many retail chains have installed self-checkout counters. It was the credit readers at the self-checkout counters that Save Mart had compromised, which raises red flags for other retailers utilizing similar technology.

With data thieves getting increasing bold and physically altering credit card readers, it’s becoming increasing important that retailers remain vigilant and alert. This is especially true right now during the busy holiday shopping season.

As we discussed in a recent post, retailers that have even suspected that data thieves have compromised sensitive financial information about customers have seen a significant impact on their wallets. From public relations campaigns to clear up negative press, to credit monitoring services for customers, companies are seeing the price tag of a data breach continue to increase.

Despite high profile breaches like the ones at Aldi and Michaels, POS systems and card readers at retail locations remain a significant security vulnerability for retail chains. With the cost of a breach skyrocketing and the sheer masses of holiday shoppers flooding retail outlets, now is the time to ensure that businesses do everything they can to protect themselves and their customers.

By Michael Ryan

While many of us were sitting on the couch, fighting our food-induced comas during the Thanksgiving holiday, merchants were scrambling to prepare for an onslaught of customers that were eager to take advantage of Black Friday deals.

Black Friday, which seems to start earlier and earlier each year, not only marks the busiest time of the year for merchants, but also predicts shopping trends, consumer confidence and the state of the economy for the coming year.

And this year’s Black Friday was in no way a disappointment. Shoppers showed up in droves and spent a record amount of money over the weekend. Black Friday spending this year was up 16% from the $45 billion consumers spent last year, according to a recently released survey by the National Retail Federation.

And that sales momentum continued into Cyber Monday, as many shoppers took to retailer’s sites looking for the best deals. Eight in ten retailers were prepared, offering special promotions to please these online shoppers.

Even more interesting is the number of shoppers that relied on their smartphones and other mobile devices to shop online. Compared to last year, the number of mobile users shopping online doubled.

And we don’t doubt that all these numbers are real. We saw it in our own operations. For example, our retail transaction volume for one of our large retail chain clients was a whopping 44% higher on Black Friday this year as compared to last year, and 38% higher on Cyber Monday.

In light of the retailers’ success, both in stores and online, it is importance to stress that consumer confidence drives continued sales and brand trust. During the busiest shopping season of the year, retailers cannot afford to suffer from a data breach and leaked consumer credit card information.

Now, more than ever, retailers must be diligent, which is why we’ve developed these three simple tips for merchant to keep in mind:

  • Know the network. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
  • If it is not needed, remove it. Many retailers keep cardholder data on the system even when it is not necessary.  Nothing is more exciting to potential attackers than hitting the jackpot of payment information.
  • It’s not just technology, its people and processes. Merchants must educate and train staff to understand network security issues.  Yes, the IT department must be aware, but it is just as important for cashiers to understand the risks and be trained to spot suspicious activity.

Retailers have a lot on their plate as they strive to hit their numbers during this holiday shopping season, but security shouldn’t be a leftover thought. The cost of a breach can not only cost retailers millions of dollars, but will hurt consumers’ confidence and trust in the retailer’s brand. With such a significant impact, can the retail industry  afford not to unwrap some extra security this holiday season?

by Beth McGarrity

It’s always interesting to find out what security practitioners, those out in the field, think about the security and compliance challenges they face day in and day out as they secure their networks and customer data.

A few months ago, when we were at the RSA show, we interviewed Jason Stead of Choice Hotels International to find out his thoughts about the security and compliance conundrum.  Does being compliant mean that a company is secure?  Or should compliance be a byproduct of best practice security activity?

Watch the video below to hear Jason’s thoughts.