THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Reducing PCI LiabilitiesSecuring Credit Card Transactions Restaurant chains and many retail organizations continue to be the targets of attackers who are trying to exfiltrate customer data out of the organizations network. While there are many ways that an attacker can accomplish this, the one that seems to be the most effective has been to compromise the physical hardware or software that collects the customer information. While the process for compromising a POS system is fairly easy for some, there are a few things that need to be in place for this to be effective, and for the attackers to get away with it. This uptick in breaches and attacks is one of the reasons that we have seen updated security regulations coming out of the banking institutions for the Payment Card Industry (PCI) (www.pcisecuritystandards.org) with an upgrade to their requirements to 3.2. Payment Security PCI has established guidelines that all businesses that accept payment cards must follow with regards to establishing and maintaining the ability to process those payments. Making sure that the transaction is secure and that the consumer data is not compromised is the name of the game here. Failure in this area and your name will be in the papers for the entire world to see (or these days, on the web). We have seen spectacular failures such as Target (www.target.com), Applebee’s (www.applebees.com), and Forever21 (www.forever21.com). While some of these breeches can be directly related to the vulnerabilities related to the hardware itself, others have been due to a compromise of the software that is used, or an infection of malware. Addressing these vulnerabilities by an organization is of the utmost importance and should be the focus of any solution provider. If these processes fail, it is the customer and the merchant that pays the price. Security In-depth When it comes to payment processing, having security in-depth is needed. What do I mean by that for a POS system? I mean that the hardware and software work together in making sure the payments are transmitted to the banking institution in an encrypted format that protects the customer’s data. Developing software that uses the hardware is similar to what Apple (www.apple.com) has done with their production of the iMac or MacBook. Creating proprietary software that helps support the security controls that are already available on the hardware can go a long way in securing the device from being tampered with (which is one of the areas that an attacker will try to compromise a system). Hardware design also helps. One Stop Vendor The key areas that a merchant can do to help reduce their risk and liability is by looking at various solutions that meet their needs. As a work-around, restaurant operators may opt to work with one company to meet all their needs. “When it comes to choosing a vendor, if we could get something through our POS provider we will do it because we know it will integrate well rather than having to find a loophole,” says Michael Jackson, director of logistics at Kerbey Lane CafÉ (www.kerbeylanecafe.com) in Austin, Texas. Jackson uses NCR’s (www.ncr.com) Aloha POS (www.alohancr.com) system, kitchen system, mobile POS, loyalty solution and more. This approach, however, can lead a restaurant to prioritize the benefits of a one-stop provider over hand-picking “best-of-breed” suppliers; that is, those with deep expertise in one area, such as loyalty or social commerce. (Mastroberte, 2014) The business must weigh the cost-benefit of choosing a provider that they can rely on for all of their services, or hobble together bits and pieces from different providers. While some larger restaurant chains are able to develop their own solutions, others are relying on dedicated organizations that specialize in creating and developing an all integrated solution (utilizing dedicated hardware and software). Reducing Risk & Liability Utilizing one solution provider for all of the services that a merchant might need (credit card processing and loyalty card payments) lowers the possibility that the solution components will not work well together. The solution provider who integrates both the software and the hardware (whether they produce them or not) has worked to develop the software to work effectively with the hardware that is used in their solution will function in a manner that protects the data being transmitted. When a merchant utilizes a certified solution provider for their processor for payments the provider takes on the liability with reduced merchant costs. With the market moving towards integrators and less on those that specialize in one or two components of the overall solution. The result will be a more secure POS system that is less vulnerabilities than in the past. (Don’t get me wrong, if somebody wants to get into your devices, they will find a way in). The new integrators are making that task more difficult. This is a step in the right direction in reducing the merchants risk and liability while also providing more secure solutions to choose from. Summary While the POS solution providers market continues to grow and more companies get into the game of providing solutions to their customers. The need for solution integrators is growing and will be pushed along by merchants and customers demanding their data be more secure. While there continues to be various devices on the market that meet these needs, not many have the security in-depth that I mentioned above. Merchants can choose to go it alone and except the full liability and risk, or they can choose an integrator that provides a whole solution. The latter being the way to help secure the customer’s payment card data and reducing overall PCI liability. References Mastroberte, T. (2014, August 6). POS Integration Becoming a "Must-Have". Retrieved from hospitalitytech.com: https://hospitalitytech.com/pos-integration-becoming-must-have Additional Links Forever21 https://www.forever21.com/protecting_our_customers/default.aspx Target https://krebsonsecurity.com/2015/09/inside-target-corp-days-after-2013-breach/ Applebee’s https://www.scmagazine.com/applebees-hit-with-pos-breach/article/749139/
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|