The National Retail Federation and security analysts are urging merchants and consumers to remain vigilant during the high-peak shopping season, noting that high-volume sales may provide additional opportunities for cybercriminals to attack vulnerable POS infrastructures. Among the chief concerns is the notion that retailers that have upgraded Europay, MasterCard and Visa (EMV) payment systems have solved the security issue. EMV is a good start but far from a silver bullet, some analysts have noted.
“EMV technology ensures that the physical card being presented for payment isn’t a fraudulent card, so EMV in and of itself is not a security technology,” said Steve Robb, Senior Vice President for ControlScan Inc., a provider of managed security and compliance services. “True POS security involves people, processes and technologies that protect data while it’s at rest and in transit. For example, properly configured firewalls need to be in place and actively monitored.”
E-commerce threat landscape
For the first time in U.S. history, total digital commerce surpassed $3 billion on Cyber Monday in 2015, a 21 percent increase over the previous year. Amazon Inc., Wal-mart Stores Inc., eBay Inc., Target Corp. and Best Buy Inc. were the top five e-commerce websites, according to comScore, a data analytics company.
“Despite some talk of Cyber Monday declining in importance, the day’s historical highs and continued strong growth rates confirm it is a hugely important shopping event,” said Gian Fulgoni, comScore Chairman Emeritus.
Increasing e-commerce traffic coupled with heightened in-store security and ongoing EMV adoption will push cybercriminals to online retail sites, data security analysts have said. HyTrust, a cloud control and security company, has seen a marked increase in cyber attacks, from nation-sponsored espionage to cyber criminals stealing data from major retailers.
“Being compliant with industry regulations does not mean you’re secure,” said Eric Chiu, HyTrust co-founder and President. “No company is immune to attack and security must be a top priority rather than an afterthought or insurance plan.”
Merchant, consumer security best practices
Following are Chiu’s recommended strategies for merchants and consumers throughout and beyond the holiday shopping season:
- Comprehensive security planning for merchants: Build a comprehensive security strategy that assumes cyberattackers are already on your network. The strategy should start with the data itself and utilize strong encryption and key management. Organizations leveraging public cloud computing should choose an encryption solution that allows them to hold their own encryption keys, so they are always in control of customer data.
- Access controls, role-based monitoring for merchants: “Insider threats are the primary cause of breaches today,” Chiu said. “Implementing strong access controls and role-based monitoring will provide employees with access to pertinent information and systems needed in order to perform their specific job duties, while restricting access from cybercriminals and disgruntled employees.”
- Active account monitoring for consumers: Fraudulent charges can sometimes takes weeks, months or even years to detect. Chiu recommended ongoing vigilance in reviewing payment card accounts. “It’s best to get in the habit of keeping track of where you shop and maintaining good online hygiene,” he said. Thieves will frequently make very small charges to test a payment card account before ringing up large, fraudulent transactions. He urged consumers to alert their credit card companies immediately of any suspicious charges, no matter how small.
- Strong passwords for merchants, consumers: Chiu recommends using strong passwords for online accounts, preferably with unusual combinations of numbers, letters and characters. Avoid using the same password across multiple accounts. He recommended using a password manager to help keep track of numerous passwords.
- Limit stored passwords for consumers: “When creating a profile with online businesses, don’t allow them to store your credit card number,” Chiu said. “It’s one less item to worry about in the event the retailer experiences a breach, or if an attacker gains access to your account.”
Chiu urged companies to make data security a strategic priority, noting that good planning and employee training can go a long way. “Not only are CEOs losing their jobs over breaches, but the costs are staggering, including legal costs, remediation, credit monitoring, notification, brand damage and downtime resulting from a breach,” he said.
Vann Abernethy a Security Specialist at NSFocus, a global network security provider with U.S. offices in Santa Clara, Calif., recommends installing a firewall and routinely screening all third-party suppliers to spot any coding or errors that might lead to compromise. “Retailers should enforce strong authentication for any administrators who access these systems, and limit that access to the bare minimum,” he said, further noting that both insider threats and potential breaches can be caused by “trusted” users accessing critical systems while under compromise themselves. “Have a strategy to deal with DDoS attacks, as these may be smokescreens for data exfiltration, or other fraudulent activity.”