Security breach

Recommendations

Info

RS supplement payment security 28 RS February - March 2013 Breaching the subject E-commerce has meant the rise of card not present (CNP) fraud. But do in-store security breaches still happen? Dave Adams investigates Consumers love card payments. How often do you pay in cash for a purchase worth more than a few pounds these days? Retailers’ relationships with the major card schemes have sometimes been a bit more fraught, complicated by financial issues and by the ever-tightening demands of PCI security standards. But the PCI regulations, along with the introduction of chip and PIN, have been of great benefit to retailers, making it much harder for criminals to commit fraud by skimming card data from card-present transactions. One unfortunate sideeffect of that has been that the criminals have focused their efforts online and targeted card not present (CNP) transactions instead, but in store, the evolution of the PCI Data Security Standard (PCI DSS) has been an invaluable weapon in the fight against fraud. While that means UK retailers are less likely to suffer from card-present fraud than are their counterparts in countries where magnetic stripe technology is still the primary medium for card transactions, it does not mean they would be any less likely to suffer from the sort of security breach that affected customers of the US wholesaler Restaurant Depot in December 2012. The breach, discovered in early December when a number of the company’s customers reported fraudulent activity affecting their cards, came a year after a similar incident in December 2011 which eventually affected more than 200,000 customers. After an investigation by security specialist Trustwave revealed the breach had actually occurred in early November, Restaurant Depot advised all customers who had used their cards at one of its facilities between 7 November and 5 December to cancel their cards. Now that’s bad PR: to be remembered forever afterwards by thousands of customers as the cause, at the very least, of an irritating encounter with the bureaucracy of the card provider; and at worst as the cause of a fraud using your card. Yet the company claimed that all its systems were in compliance with payment card industry standards. At the time of writing the precise origin or cause of the breach had not been made public. Data breaches Trustwave’s 2013 Global Security Report, published in February, shows that the retail industry is now the number one target of cyber criminals. That growth is driven by the increased focus on hacking e-commerce systems, but it underlines the threat to retailers in general. Is there any danger UK retailers will become complacent about in-store security as a result of the progress made by chip and PIN and PCI DSS? Gary Munro, senior consultant at Consult Hyperion, contemplates the Restaurant Depot breach from a UK perspective. “Do these types of breaches happen here?” he asks. “Yes, but it is becoming less commonplace as retailers upgrade their systems. The criminals will always attack the weakest point in the system and the card industry has done an awful lot to improve security. In older systems some retailers would have a PC or server-based system, possibly in the store, and these could be attacked through a web connection or direct access. But implementing
PCI DSS means any data would be encrypted and that makes it much more difficult for a criminal.” The problem is, not every retailer is compliant. When the PCI Security Standards Council was established by the five major credit card companies in 2006, its primary focus was on larger retailers. Since then it has made strenuous efforts to encourage smaller retailers to seek compliance with PCI standards too. They are at least as likely to be targeted by fraudsters, because they are likely to have spent less on security in general, in the store or online. Despite the efforts of the Council, the card companies and others, awareness of security issues can still be patchy among these merchants. “Many retailers still don’t appreciate how much card data is flowing in their networks,” says Chandra Patni, CEO and CTO at payment specialist YESpay International. “They may have card data stored in PoS databases in clear text.” As PCI compliance has become more difficult over the years, many retailers have outsourced parts of the card payments process to payment services providers (PSPs), like YESpay. One YESpay client, Ian Pulsford, head of IT at toy retailer The Entertainer probably spoke for many of his peers when he told the audience at a YESpay event in March 2012: “Basically we are using as many hosted services as we can. The idea is, ‘have nothing’ ... [get] everything off our network.” Using a PSP won’t be appropriate for every retailer, but one advantage it offers is access to the most advanced payment data processing solutions. In future that is more likely to include point to point encryption solutions, which encrypt all payment data between the PIN entry device (PED) at the till and the central processing facility. Retailers already using point to point encryption include SPAR, which uses the Ocius Sentinel system, provided by Commidea (now part of Verifone) on a managed service basis. The retailer started using the technology in late 2011, when Roy Ford, retail IT controller at SPAR, told Retail Systems that one of the most important reasons it had been chosen was because of the costeffectiveness of the managed service. Not many other retailers have yet followed suit, possibly in part for straightforward economic reasons, but also because many procure and renew PoS and payment systems on a cycle which lasts several years. “Migration won’t happen overnight,” says YESpay’s Chandra Patni. Nonetheless he claims point to point encryption is appearing on RFI and RFQ documents. He believes most larger retailers will be looking to outsource these functions to a managed service. Even if these trends continue to close security weaknesses in payment processes for retailers of all types and sizes over the next few years, there will still be security vulnerabilities in many retailers’ systems. “One place where you could try and attack is maybe not the system itself but the processing associated with it, like a refund or obtaining a receipt copy,” notes Munro. “All payments security supplement those systems should have data in a masked format. But refund processing, for example, is not the most well-defined process.” Retailers will continue to be susceptible to the security threats which afflict IT networks of all kinds, warns YESpay’s Patni: “The main problem is just making sure that card data is safe in the network and that there are good data practices in the network: that there are good logging in procedures and firewalls and so on.” New technologies or payment methods are bound to create further vulnerabilities. “For example, you can now pay using PayPal in certain stores,” adds Consult Hyperion’s Munro. “That’s user name and password-based, so is that as secure as a PIN?” The most obvious new potential source of trouble is payment made using mobile phones and devices, including use of mobile device-based contactless payments. “Mobile payments have introduced a whole new set of challenges for the Council and the whole payments industry,” confirms the PCI SSC’s Jeremy King. But a good mobile payment app for a smartphone can be fairly well secured, suggests Patni, if used with PED equipment which encrypts card data. Edward Chandler, CEO of the PSP CQR Payments Group, makes a similar point. “If I know that the device you’ve taken payment with hasn’t been lost, stolen or interefered with and the account you’ve got is in good shape then that’s a multi-factor and dynamic authentication,” he explains. King says the PCI SSC is working closely with the GSM Association to establish the most effective way of securing mobile devices. The Council has published guidance documents on securing mobile transactions. It is also considering how best to prevent security problems arising in relation to in-store kiosks. Finally, the Council is also actively trying to improve the standards of software installation and integration, because badly installed software is another source of security problems. In 2012 it launched a Qualified Integrators and Resellers (QIR) programme. Yet for all of these potential sources of problems there is still a general feeling that UK retailers have produced a creditable performance in the battle against fraud and crime in the store – in this, electronic respect, at least – in recent years. “UK merchants have done a really good job,” adds King. “I regularly attend a UK merchant working group, largely with tier ones and quite a few of the tier twos now too. With most of those companies now I’ll be talking to PCI representatives, not just IT representatives, so they’ve taken it very seriously. They’re now helping us to try and get the message down to the smaller merchants.” But, as Munro points out, “Regulation is always one step behind the technology”. “It’s a constantly evolving ecosystem: payment methods change, security increases in one place and someone will go and look for a hole in another place,” he observes. “But the industry is getting more mature in terms of the way it looks at making the whole payment mechanism secure.” RS February - March 2013 RS 29
Page 1 and 2: February - March 2013 FIRST CHOICE
Page 3 and 4: RS Editor Karen Moss karen.moss@ret
Page 5 and 6: NEC Display Solutions Showcase 2013
Page 7 and 8: Point of sale is dead. Long live
Page 9: In today’s fast-moving world, fle
Page 12 and 13: Visit us at RBTE 2013 12th-13th Mar
Page 14 and 15: RS RBTE preview RS Marketing: Smart
Page 16 and 17: RS RBTE preview RS If the recent NR
Page 18 and 19: RS Cards and payments 18 RS Februar
Page 21 and 22: contents 22..... We have contact Co
Page 23 and 24: usage such as vending machines and
Page 25 and 26: However, he does reveal doubts over
Page 27: ight and offer customers the chance
Page 33 and 34: Looking forward This year’s Big S
Page 35 and 36: “Another problem is that early ad
Page 37 and 38: It’s all about a more personalise
Page 39 and 40: thoughts from the frontline The new
Page 42 and 43: RS bits and pieces Management bits
Page 44 and 45: RS 44 RS February - March 2013 feat
Page 46 and 47: awards2013 Now open for entries Dea
Page 48 and 49: RS letters to the editor letters 48
Page 50 and 51: RS appointments 50 RS February - Ma
Page 52 and 53: d i r e c t o r y RS M a r k e t p
Page 54 and 55: D I R E C T O R Y O F K E Y P L A Y
Page 56 and 57: D I R E C T O R Y O F K E Y P L A Y
Page 58 and 59: Don’t miss your chance to enter o

Security breach

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?