Point of sale security: Retail data breaches at a glance

Your POS system is being targeted by hackers. This is a fact of 21st-century business, and it's especially apparent given the frequency and magnitude of data breaches that have occurred ever since the Target incident pulled cybercrime into the spotlight.

For example, Verizon's most recent data breach report indicated that there were 534 cyber incidents involving POS alone in the retail industry in 2015, and 525 of those POS breaches resulted in the unintended disclosure of sensitive information. Furthermore, 64 percent of all data disclosures stemmed from POS-centric attacks.

525 Data Breaches 

Compared to last year, it's clear that the state of POS security is bleak - and potentially getting bleaker. The number of retail data breaches has increased more than two-fold, with 33 percent of retailers telling Dimensional Research - and survey sponsor Tripwire - that they've experienced a cyber-security incident in 2015.

"Unfortunately, these results indicate that we can expect retail breach activity to continue in the future," said Tim Erlin, director of IT security and risk strategy at Tripwire.

Perhaps more perplexing is how easily and quickly cyber criminals circumvented POS security systems - that is, if retailers and merchants even had sufficient defenses to prevent a data breach in the first place. According to the Verizon report, 99 percent of the time, POS environments were hacked in only a few hours. Once inside, getting out was just a simple - in 98 percent of cases, hackers exfiltrated data in just a couple of days. That's not a good sign when 70 percent of retailers don't even discover those incidents for weeks.

"POS malware infections rose 60 percent in Q3 2015."
POS Data Breaches

Where to point to finger
In many of the retail industry's cyber incidents, hackers managed to install either malware or RAM scrapers. Specifically, First Post reported that in Q3 2015, POS environment malware infections rose 60 percent over Q2. This is unsurprising given the frequency of lackadaisical security efforts on employees' part - Verizon said that 12 percent of malicious links and attachments within phishing emails were opened last year.

Of course, retailers and merchants can't just blame their staffs for data breaches. Simply put, too many businesses are practicing less-than-stellar POS security.

They are failing to upgrade their integrated POS systems with better security capabilities - a major reason for data breaches, as indicated in a recent PCWorld article. The source reported that hackers are working quickly to infect POS environments and subsequently steal data "before new defenses are put in place."

Or, even worse, some smaller retailers are skimping out when they realize they must upgrade their POS system. Trend Micro reported that SMBs sometimes purchase black market POS devices with "skimmers" already installed, meaning that they are compromised before they even begin to secure their IT environments.

And that's not all. There are merchants - big and small - that are still using the default passwords that their systems shipped with, while others fail to separate and isolate their sensitive systems, such as payment processing solutions and POS terminals, from their more public-facing networks. Then factor in the likelihood of configuration mistakes, and it's no surprise that retailers and their POS systems are perfect targets.

"Merchants should be leveraging the tripod of POS security."

The Tripod of POS Security
The answer to POS security and the solution to retail data breaches is simpler than many believe: Merchants should be leveraging a tripod of POS security. That might sound like a big deal, but it really isn't. Retailers are already looking to deploy new POS systems in order to support EMV chip-based payment cards, and that represents the first leg of the POS security tripod.

So, while these businesses are in the process of upgrading, they have the opportunity to implement the second and third piece of the retail cybersecurity puzzle: end-to-end encryption and tokenization.

E2EE is a security practice that's key for all industries. But in retail specifically, this practice of encrypting data as soon as payment cards are swiped ensures that data is secure as it travels from POS terminals to payment processors. That mitigates the chance of skimmers stealing data. Additionally, E2EE can help retailers prevent man-in-the-middle attacks.

POS Data Encryption

Tokenization is the final leg of the POS security tripod. This practice obfuscates all payment card data whether it's at rest or in motion, replacing credit and debit card numbers with a meaningless series of letters and numbers - those are the tokens. That way, malware and RAM scrapers will have no valuable information to work with, yet retailers' payment processing systems will still be able to use and analyze the hidden card numbers.

Merchants have a great opportunity to implement the entire POS security tripod into their integrated environments at once, and missing this chance could result in experiencing a data breach. After all, hackers will attack the easiest target, and if a retailer lacks that triumvirate of data protection techniques, then its systems are the lowest hanging fruit.

Want to learn more?