Five trillion dollars in U.S. retail spending is very attractive to cybercriminals. The large volumes of financial data continuously processed by payment and retail vendors is highly valued and can provide criminals with easy payouts.
This is a big cause for concern, as Trustwave’s Global Security Report found that the retail industry was the most compromised sector for a fifth year in a row, and the primary target is payment card data. Payment data is most commonly stolen through point-of-sale (POS) breaches, which make up 64% of all incidents, and a magnetic stripe data attack was the second highest at 33%.
While these numbers are high, many companies continue to ignore the importance of proactive protection. Breached businesses often say, a compromise never seemed like a cause for concern — until we were compromised.
How Does A POS Breach Impact My Retail Outlet?
Several large brand retailers have experienced very public point-of-sale breaches, which have not only impacted their revenue but damaged customer trust, causing consumers to avoid some retailers. KPMG surveyed consumers and found 19% of shoppers would stop going to stores they knew had been a victim of a cyberattack, even if the company took the necessary steps to remediate the issue. And 33% said they would stop shopping there for at least three months. While these percentages aren’t outrageous, when a store is looking to recover from a data breach and loss of revenue, the dip in sales can be detrimental.
What Can I Do About It?
To help retailers navigate the waters of cybersecurity, credit card companies formed the Payment Card Industry Data Security Standard (PCI DSS). It is mandated by card brands in an effort to establish basic best practices for protecting cardholder data and reducing credit card and POS fraud. Unfortunately not all retailers are keeping customers safe through compliance with PCI regulations. In fact, 80% of organizations were noncompliant, leaving customers vulnerable and their own company at risk, according to Verizon’s just released PCI compliance report.
Another effort to minimize risk for consumers who shop at stores is the EMV or chip-and-PIN standard. This standard replaces the static magnetic stripe and creates a unique transaction code for each purchase. This prevents malware or card skimmers from stealing card data since each transaction code can only be used once. This new standard has been widely successful at cutting down fraud on face-to-face transactions. While the chip-and-PIN standard has existed for a long time in Europe and Canada, the U.S. has been one of the slowest countries to adopt EMV. Luckily that is changing. Retail owners are choosing to use more secure technologies like EMV readers as well as adopting those basic security practices outlined by PCI DSS, and because of that both they and their customers benefit.
Karl Sigler is Threat Intelligence Manager at Trustwave where he is responsible for research and analysis of current vulnerabilities, malware and threat trends. Sigler and his team run the email advisory service, serve as liaison with Microsoft MAPP program, and coordinate disclosures of discovered vulnerabilities. In addition, Sigler hosts the popular and informative weekly SpiderLabs Radio podcast. Most recently he was one of the security researchers instrumental in identifying “Backoff” POS malware that affected more than 1,000 retailers worldwide. Before joining Trustwave in 2013, Sigler worked as the head of the IBM X-Force Education group for 12 years and has presented on topics like Intrusion Analysis and Penetration Testing to audiences in over 30 countries. In 2003 he released Knoppix-STD, the first Live LinuxCD dedicated to pen testing and forensics and a predecessor to distributions like BackTrack, Kali and Pentoo.