[BreachExchange] It’s Time for Everyone to Step Up: Securing the Data is Everyone’s Issue

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 7 19:53:18 EDT 2018


Recent high-profile consumer and payment information breaches have set
consumers on edge and delivered significant blows to several companies’
reputations. If data breach stats from 2017 are any indication, merchants
are still the biggest target at which hackers are aiming. There are
standards and rules in place to help mitigate these breaches, but for some
reason we still are allowing unsecure point of sale (POS) installations
into the webstore, mobile and instore market and not requiring best
practices from all stakeholders (merchants, software providers,
resellers/VARs and payments providers). It’s time we start holding everyone

This problem affects everyone. Let’s look at an industry example regarding
POS breaches: hospitality. Hotel chains and tourism outfits don’t have to
look far to find the source of most data breaches — they only have to
examine their own terminals or web sites. The most prominent breach type in
the hospitality field is at the point of sale. When the POS system is
attacked, malware is launched to acquire cardholder names, credit card
numbers, and expiration dates. It’s proved devastating to some brands and
reputation sinking, at best, for others.

The payments ecosystem is, of course, very complex no matter what industry
we look at and the technology behind how payments are being delivered is
advancing exceptionally quickly. Unfortunately, standards and systems
aren’t evolving fast enough to keep up. The payment processor is
responsible to banks and the card networks so that part of the chain is
highly regulated, of course, with PCI and PCI DSS standards and best
practices. But to get to that point of any transaction, you first need a
front-end interface at the point-of-sale. We need to hold everybody that
touches this point in the payment chain accountable, too.

Everyone has a role in making our ecosystem safer at the point of purchase
with some easy-to-implement best practices that go beyond merely staying
PCI compliant:

- Merchants need to upgrade to the newest versions of their POS software
every time they are offered. Sticking with the hospitality industry
example, many of today’s POS deployments in that market continue to sit on
Windows XP or even DOS-based systems. Legacy software makes everyone
vulnerable. Legacy solutions need to be put out to pasture. Regular
software upgrades should be standard best practice. Secondly, merchants
need to get picky and only work with vendors that meet highest criteria of
security and implement “locked down” solutions for in-store networks.
Finally, and maybe most importantly, merchants need to get personally
identifiable information (PII) and cardholder data out of their everyday
environments by never touching or storing data.
- Software providers need to step up the security. The software providers
act as the virtual IT department for the merchant. While many good
providers are working hard to lock down their systems and fully encrypt PII
and card data, there are still many that don’t take the necessary
precautions and/or work with the right partners, leaving back-doors open
and the merchants holding the bag when a breach occurs. The only real way
to shore up the software’s security is for providers and their partners to
combine four things on every system, every time:
1. End-to-end encryption (E2EE). Using end-to-end encryption at the POS
ensures that cardholder data is fully-protected from the moment it enters
the payment stream. PCI compliant companies should already employ some
level of E2EE, and more are coming online every day.
2. EMV Readers. When an EMV chip card is used at a card-present POS
terminal, the microchip generates a dynamic code that authenticates the
card preventing it from being copied. Believe it or not, the S. was the
last market in the world to implement EMV technology at POS terminals.
3. Tokenization for stored data. Designed to be used in place of card
numbers by all of the merchant’s systems, tokenization replaces card
account information with “tokens” generated by a third-party service
provider and does not require merchants to store any card data. This allows
the card to be recharged without exposing the original card information.
There is no way for hackers to use them as there is no card number
associated with that piece of data.
4. Network tokenization. This level of security literally removes the card
data from inception of an online or mobile commerce transaction.
- Payment providers need to secure their own infrastructure and only allow
providers that have reached highest levels of security – implementing all
the security measures listed above, for example –into their environment.
There is no room to settle for anything less as we move forward.

In conclusion, while the industry is making strides toward tighter payment
security, we all need to work better and more proactively together to
remove PII and cardholder data from the reach of criminals. We need to work
together to finish the last mile of EMV implementation, never send out
another device that doesn’t support end-to-end encryption and adopt the
tokenization protocols needed to make cardholder data breaches a thing of
the past.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180507/34f1e5d8/attachment.html>

More information about the BreachExchange mailing list