You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
RS<br />
supplement payment security<br />
28 RS February - March 2013<br />
Breaching<br />
the subject<br />
E-commerce has meant the rise of<br />
card not present (CNP) fraud. But do<br />
in-store security <strong>breach</strong>es still happen?<br />
Dave Adams investigates<br />
Consumers love card payments. How often do you pay in<br />
cash for a purchase worth more than a few pounds these<br />
days? Retailers’ relationships with the major card schemes<br />
have sometimes been a bit more fraught, complicated by financial<br />
issues and by the ever-tightening demands of PCI security<br />
standards. But the PCI regulations, along with the introduction<br />
of chip and PIN, have been of great benefit to retailers, making<br />
it much harder for criminals to commit fraud by skimming card<br />
data from card-present transactions. One unfortunate sideeffect<br />
of that has been that the criminals have focused their<br />
efforts online and targeted card not present (CNP) transactions<br />
instead, but in store, the evolution of the PCI Data <strong>Security</strong><br />
Standard (PCI DSS) has been an invaluable weapon in the fight<br />
against fraud.<br />
While that means UK retailers are less likely to suffer from<br />
card-present fraud than are their counterparts in countries<br />
where magnetic stripe technology is still the primary medium<br />
for card transactions, it does not mean they would be any less<br />
likely to suffer from the sort of security <strong>breach</strong> that affected<br />
customers of the US wholesaler Restaurant Depot in December<br />
2012. The <strong>breach</strong>, discovered in early December when<br />
a number of the company’s customers reported fraudulent<br />
activity affecting their cards, came a year after a similar incident<br />
in December 2011 which eventually affected more than<br />
200,000 customers. After an investigation by security specialist<br />
Trustwave revealed the <strong>breach</strong> had actually occurred in early<br />
November, Restaurant Depot advised all customers who had<br />
used their cards at one of its facilities between 7 November and<br />
5 December to cancel their cards.<br />
Now that’s bad PR: to be remembered forever afterwards by<br />
thousands of customers as the cause, at the very least, of an<br />
irritating encounter with the bureaucracy of the card provider;<br />
and at worst as the cause of a fraud using your card. Yet the<br />
company claimed that all its systems were in compliance with<br />
payment card industry standards. At the time of writing the<br />
precise origin or cause of the <strong>breach</strong> had not been made public.<br />
Data <strong>breach</strong>es<br />
Trustwave’s 2013 Global <strong>Security</strong> Report, published in February,<br />
shows that the retail industry is now the number one target of<br />
cyber criminals. That growth is driven by the increased focus on<br />
hacking e-commerce systems, but it underlines the threat to<br />
retailers in general. Is there any danger UK retailers will become<br />
complacent about in-store security as a result of the progress<br />
made by chip and PIN and PCI DSS?<br />
Gary Munro, senior consultant at Consult Hyperion, contemplates<br />
the Restaurant Depot <strong>breach</strong> from a UK perspective. “Do<br />
these types of <strong>breach</strong>es happen here?” he asks. “Yes, but it is<br />
becoming less commonplace as retailers upgrade their systems.<br />
The criminals will always attack the weakest point in the system<br />
and the card industry has done an awful lot to improve security.<br />
In older systems some retailers would have a PC or server-based<br />
system, possibly in the store, and these could be attacked<br />
through a web connection or direct access. But implementing