[BreachExchange] 5 Critical Steps For Retailers To Reduce Cybersecurity Risk

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 10 20:13:38 EDT 2017


https://paymentweek.com/2017-7-10-5-critical-steps-retailers-reduce-
cybersecurity-risk/

The story is becoming all too familiar – another retailer announces that it
discovered malware on its point-of-sale systems. Clothing retailer Buckle,
which operates more than 450 stores in 44 states across the country, joined
the ranks of the almost 500 companies that suffered breaches in 2016 by
disclosing that malware was siphoning unencrypted credit card data.

For those of us who work with credit card information daily, Buckle’s
announcement served as yet another reminder that we must always remain
vigilant when it comes to protecting customer data. In the wake of this and
other major cybersecurity-related incidents, merchants need to actively
evaluate all of their cybersecurity and credit card acceptance practices to
ensure they’re in compliance with industry standards and regulations, as
well as leveraging the most advanced security solutions available in the
marketplace. There are steps companies can take immediately, including:

Conduct an Individual Risk Assessment – Whether or not your company was the
victim of a breach, retailers must invest in straightforward risk
assessment programs that are monitored by third-party auditing and testing.
While retailers increased their information security budgets by 67 percent
last year, according to PricewaterhouseCooper, executive leadership must
remember that security is not the place to try to save a few dollars; it
has to be a priority. Corporate risk assessments should focus on
identifying threat vectors – anything from internal employees with access
to sensitive systems or external hackers attempting to breach systems. It
is critical that companies consistently determine key personnel with
elevated system privileges, evaluate and control system access, identify
critical corporate assets, and segment assets that process or store
sensitive information.

Reaffirm Payment Channel Security – While eCommerce transactions were
traditionally considered to be less secure because of the nature of online
payments (no physical consumer present), the frequency of major breaches
via card present environments demonstrates that these in-person
transactions are as risky, if not more so, than online purchases. In the
wake of data breaches, it’s critical to ensure solutions are up-to-date and
can identify and defend against the latest cyber attack methodologies.

Encrypt Data Before It Enters the Point-of-Sale System – As long as
merchants continue to accept unencrypted credit card data and allow it to
traverse their networks, the industry will continue to see headline data
breaches that negatively impact both the merchant and their consumers.
However, it isn’t enough to simply encrypt data while leveraging a
point-of-sale workstation’s on-board credit card reader. Credit card
information is still vulnerable to theft between the point of swipe and
encryption when that encryption is software-based. Instead, data should be
encrypted before it enters the point-of-sale system using an external
payment device, through hardware encryption. That way, the point-of-sale
system does not process or store – even in memory – “clear text” credit
card information; it only sees encrypted data that cannot be compromised.

Adopt EMV Technology – According to the National Retail Federation’s State
of Retail Payments 2016 study, 86 percent of merchants expected to
implement EMV by the end of 2016 – more than a year after the October 2015
liability shift. While EMV adoption is continuing to rise, magnetic stripe
cards are still very common. This means that attackers can still steal and
duplicate credit card numbers onto easy-to-find magnetic stripe reader
(MSR) credit cards and use them. As we’ve seen in other regions where EMV
adoption rates are high, card present fraud will continue to drop as more
merchants adopt EMV technology.

Embrace Tokenization – According to PricewaterhouseCooper’s Global State of
Information Security 2017, 38 percent of respondents use end-to-end
encryption to safeguard point-of-sale systems, while only 25 percent
leverage tokenization. However, tokenization provides an additional layer
of security that enables retailers to conduct routine payment operations,
such as processing sales or refunds, without the risk of storing credit
card information on their networks. Instead, customer card data is replaced
with a “token,” usually a string of alphanumeric code that maps to the full
credit card information in a third party system. Since the token is simply
an identifier, attackers can’t derive the actual card number from it, much
less use it for fraudulent transactions.

With the regular emergence of new, widely-available security threats,
merchants should never assume that their networks or environments are
secure. The above steps can help retailers de-sensitize information before
it enters their environment to ensure that a compromise of their systems
does not also result in a data breach of their customer’s payment
information. With this layered security approach, merchants can continue
“business as usual” with a significantly reduced level of risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170710/51374172/attachment.html>


More information about the BreachExchange mailing list