EMV POS & eCommerce :
Recent
adoption of Chip and Pin technology by the US markets will result in increased
attempts to steal credit card data from ecommerce sites.
POS
systems have seen some of the highest profile breaches with large numbers of
records stolen. Familiar names in
retail including Target, Michaels, Home Depot have all made he list. Almost
large POS breaches have been on US based stores. There
is a reason why don't we here about similar large exploits on European
or Canadian retailers. This is because,
they use Euro Pay, Mastercard and Visa (EMV) http://www.emvco.com/ also known as Chip and Pin technology in
their POS card readers. If you see a metal square embedded in your payment
card. It has an EMV.
It
protects credit card data using end to end or point to point encryption. Encrypting credit card data from the reader
to the payment processor. Hackers cannot
read the information therefore, it is far less valuable and not worth making
the effort of stealing.
To
costly for the US retailers unlike their Canadian and European counterparts did
not implement EMV technology. That is
until recently the banks in the US have decided to have retailers implement EMV
in 2015.
Specific
target deployment dates are set out by the Payments Network (banks, credit
unions, credit card issues, payment processors). For the US this is October 2015. The US is lagging behind the rest of the
world as of January 2014 in January 2015 it is estimated 32% of us companies
have implemented chip and pin readers.
In
addition to broad geographic adoption each of the card issues has target dates
for their partner members in the Payment Network. Their respective road map
below shows that full implementation is expected soon. http://www.smartcardalliance.org/
Certainly,
this will reduce the number of POS breaches which is great. This is evident from the Canadian
implementation by Interac with a 66% decrease in skimming fraud in one year
after implementing the technology in 2008. http://www.paymentsleader.com/emv-america-what-took-you-so-long/
Cause and Effect:
The
adoption of EMV in POS systems will stem the tied of credit card data flowing
out of retail bricks and mortar networks.
There is plenty of evidence to support that. Regardless, in the Trustwave
2015 Global Security Report 40% of hacking targets were at POS systems
while 42% were at ecommerce sites.
Every
year more purchases are made online. It
stands to reason, hackers will seek out the path of least resistance redoubling
their efforts and going further down market.
While
we can expect the POS theft to go down.
It is predicted that the breaches, cards stolen and dollar values will
both proportionally and literally increase for eCommerce .
To
some extent retailers know what to do it is a matter of having relationships
with the right business vendors getting sound risk based advice. Most important even if you are not as secure
as desired having a plan in place to close the gaps.
To
reduce risk to online systems :
1.
Meet PCI
-DSS compliance requirements by seeking advice from someone who knows the
standard and your industry
Specific
steps:
1.
Perform
vulnerability assessments on web sites and systems
2.
Apply
security patches wherever possible
3.
Practice
secure coding, insist that your SI does
4.
Implement
a web application firewall
What
to look for:
1.
Implement
DDoS technology, DDoS attacks are a means to distract while credit card data is
stolen
2.
If you
have experienced DDoS attacks investigate your exfiltration data (DLP)
