TJ Maxx. Home Depot. Albertson’s.
None of these credit card fraud targets deserved it, of course. But Goodwill? Goodwill?!
Unfortunately, yes. Goodwill is the latest household name retailer suffering a major credit card data breach.
The grim stats in the Goodwill case read like this: 330 stores hacked, 868,000 cards compromised. And, it could’ve been worse. Just 10% of Goodwill franchises ran the point-of-sale (POS) software the malware exploited to capture the card numbers. (Forbes)
Target wasn’t as “lucky” in December of 2013.
Hackers stole the data for over 40,000,000 credit cards. Target’s own SEC filing report declared data breach costs of $111M in Q2 2014 alone. A Forrester Research vice president told the New York Times that Target’s total costs would continue to rise. “I don’t see how they’re getting out of this for under a billion, over time.”
Credit card fraud: Not just an enterprise issue
The numbers in the Goodwill and Target thefts are huge. The sheer scope of the breaches adds a level of incomprehensibility. It’s difficult for the average person or even small business leaders to relate.
But security breaches affect small businesses too—often calamitously.
“Victims are mostly small or mid-sized companies,” wrote Politico cyber-security reporter, Joseph Marks. It only seems like a problem limited to the big guys because SMB’s produce “breaches that only prompt local media attention if any at all.”
The fallout of a credit card breach can be severe. Over 60 percent of SMBs will close their doors within 6 months of a breach. (US News)
Cyber-security company Symantec put the average cost of a confidential records breach in the US at $5.4M. To put it in perspective, there are well over 25 million US companies whose annual revenue is less than $5.4M according to census data.
But the average costs of $5.4M are the product of multiple fraud-related line items. When fraud strikes, litigation, notification charges, fines, fees, and lost business each add up.
A look at the tactics of credit card hackers
Hackers have the same goal whether they attack small or large retailers. They’re after the credit card data in point-of-sale and other payment applications. The techniques to get at the records are the same too.
The Goodwill theft demonstrates how tactics used against big-box retailers can overlap to smaller companies.
In the case of Goodwill, the data thieves accessed the network via a 3rd party POS managed services provider. That same 3rd party provider has over 500 other clients. At least 2 of those clients have already confirmed theft of their credit card data via the same exploit. (ArsTechnica)
There are many different types of attack methods when it comes to credit card data. But in the Goodwill and the Target cases alike, hackers targeted vulnerable POS systems with a technique called RAM scraping. RAM scraping has the cold logic of evil genius. It checks both boxes: it’s insidious and effective.
Here’s a description of how RAM scraping works from a recent Wired article:
Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card’s magnetic stripe. The scrapers usually encrypt and store the stolen data somewhere on the victim’s network until the attackers can retrieve it remotely. Or they can program their scraper to send the encrypted data automatically over the internet at regular intervals, passing it through various proxy servers before it reaches its final destination.
But the scary part is that RAM scraping doesn’t require a genius to execute it. It’s a technique accessible to pretty much anyone. Would-be hackers can buy black-market RAM scraping code kits on the dark web. (KrebsOnSecurity.com) All that’s needed is access to a payment application and the presence of unencrypted card data. Given the current state of credit card and POS security, that means there’s many targets available.
A need for change
The credit card industry news source, The Nilson Report, estimated global direct fraud costs at $11.27B in 2012. A LexisNexis study, calculating both direct and indirect costs, estimated the “true cost” of retail fraud to US merchants alone at over a $100B a year.
The rampant fraud is driving many to question the basics of the current credit payment model. Doug Kantor, Counsel for the Merchants Payment Coalition, put it bluntly: “Our payment system is broken and does not have real security in place.” (AmericanBanker.com)
The banks, as well, are pushing for changes to security standards including EMV (chip) cards, P2PE encryption, and tokenization.
Meanwhile mobile hardware manufacturers and software developers are joining in. Mobile wallets using near field communication (NFC) technology present another approach for improving security.
While each of the innovations promises better fraud protection, they’ll be coming at a cost to retailers. Developments in technology standards will require updates to merchant systems to accommodate the changes.
Perhaps the most radical challenge to the standard credit card technology paradigm is the idea of mobile wallets.
The basic format of the credit card itself hasn’t changed in several decades. A credit card is still just a piece of plastic carrying several items of encoded account information in a magnetic strip. It’s a medium criminals have become adept at exploiting.
But plastic magnetic stripe cards still have two main benefits. They’re portable and inexpensive.
That means that the current cards are easy to support at scale. And the accommodating merchant terminal systems are already in place. That infrastructure is expensive to replace.
Essentially, up until now, magnetic stripe cards have represented a technology at rest, tending to stay at rest.
But Apple and Google are betting mobile wallets will be the force great enough to put a technological change into motion.
The idea of using smartphones to communicate credit card data to merchant payment processing systems is not new. But it has been waiting for smartphone market penetration to reach a critical mass large enough to support it.
Mobile wallet applications are now able to take advantage of NFC technology in smartphones. NFC (near field communication) is a radio frequency protocol specially adapted to transfer small amounts of data between devices within close range of each other. Android devices have been available since 2011 with NFC. The release of the iPhone 6 makes provides NFC based hardware in the iOS world.
Mobile wallets use the native computing power of smartphones to improve security. Google Wallet requires entry of a PIN to authorize a transaction. Apple Pay raises the standard by scanning thumbprints.
There’s a chicken and an egg challenge inhibiting widespread adoption of mobile wallets, though.
As of 2013, there were only about 100,000 NFC-equipped retail outlets in the US according to the Guardian. Will merchants invest in new contactless, NFC payment terminals for their point-of-sale systems while only a fraction of consumers use mobile wallets? Will consumers bother to use mobile wallets if many retailers don’t support them?
The tech and business communities continue to debate this very issue. Entrepreneur recently ran an article titled: “4 Ways Adopting Apple Pay Can Benefit Small Business.” Meanwhile, AppleInsider complained, “Popular retailers may slow adoption by refusing to offer support due to a conservative stance on next-gen commerce or conflict with their own ambitions in the sector.”
EMV chip cards
Mobile wallets aren’t the only threat to magnetic stripe credit cards. Another threat looms closer.
Microchip enabled EMV card technology has been around for over 20 years. In fact, chip cards are already standard in many parts of the world (attention travelers!).
“We are the last G-20 country to go to EMV,” lamented a US bank director in a recent Forbes article.
EMV cards embed an electronic chip to encrypt account data that would normally reside in the magnetic stripe. The cards are named for the sponsoring corporations that created them: EuroPay, Mastercard, and Visa.
At this point, chip cards only account for 1 to 5% of the cards in use in the US. (USA Today)
But the banks are aiming to change that.
Visa and Mastercard have announced retailers must make the switch to EMV by October 15th, 2015 or face consequences.
Merchants who have not made the investment in chip-enabled technology may be held financially liable for card-present fraud that could have been prevented with the use of a chip-enabled POS system.
Merchants who remain undeterred by the increased liability risk will encounter another reason to update their POS hardware for chip cards, as well. The number of consumers carrying chip cards is set to swell. Banking industry analysts, the Aite Group, predicted that 70% of credit and debit cards in the US will contain a computer chip that conforms to the EMV protocol by December 2015. (Credit Union Times)
Visa is actively encouraging merchants to begin updating terminals immediately:
As Visa promotes the U.S. migration to chip cards, we encourage merchants to start thinking about the terminal upgrades they may need to support emerging payment technologies. By updating your POS system to dual-interface terminals, which accept both contact chip cards and contactless chip devices, you can start building an infrastructure that’s ready for the future and the arrival of mobile payment technologies.
MasterCard has released an advisory document covering their “Seven Guiding Principles for EMV Readiness.” The document summarizes the range of updates that may need to be made.
The EMV deployment process will vary by type of customer. Many merchant customers will simply require a new “standalone” terminal with EMV functionality supported. Other larger or niche retailers will have unique payment processing needs that require integrating the EMV kernel and payment network logic into their highly customized point-of-sale (POS) and point of interaction (POI) systems.
EMV technology improves fraud protection by making it difficult to create unauthorized card duplicates.
But EMV cards can’t protect sensitive data once it is passed into a merchant’s network.
A report from RSA, the security division of data storage giant EMC, noted:
EMV will not result in an elimination of counterfeit fraud, nor will EMV spell an end to database breaches; it will merely force fraudsters to adjust their tactics and targets. The data from Canada’s EMV migration paints this picture clearly; counterfeit and lost/stolen fraud enjoyed a 54% decline from the inception of the migration in 2008 through 2013, while CNP (card-not-present) saw a corresponding increase, jumping a whopping 133% over the same time period.
Encryption is another fundamental weapon in the fight against credit card fraud. In fact, payment applications already use an alphabet soup of symmetric and asymmetric encryption protocols to secure credit card data.
But in many implementations data must pass through the network before it is encrypted. This leaves it accessible to the RAM scraping technique that compromised Target and Goodwill’s data.
P2PE (point-to-point encryption) is different. True point-of-sale P2PE encrypts credit card data from the moment it enters the merchant’s network. Gary Glover on the Security Metrics blog described the advantage of P2PE this way:
Because card data is immediately encrypted as the card is swiped (or dipped), it prevents non-encrypted information from residing on the payment environment, even for one millisecond. Even if a hacker installed memory scraping software on the POS register, it would only pick up useless strings of encrypted card numbers with no way to decode them.
But even encryption has weaknesses. Cryptography and data security expert Bruce Schneier blogged back in 2010:
Encryption keys must exist as long as the encrypted data exists. And storing those keys becomes as important as storing the unencrypted data was. In a way, encryption doesn’t reduce the number of secrets that must be stored securely; it just makes them much smaller.
Tokenization provides another approach. It can be implemented in concert with P2PE to further secure customer payment data. Combining tokenization and encryption compounds the complexity of a potential hack.
Encryption works by turning data into a scrambled string of information. But the scrambling is reversible, of course, if you have the right key. Tokenization on the other hand, actually substitutes the sensitive data with a token. The confidential data itself can then be stored in a well-protected database and only accessed by someone possessing the token.
A company called Shift4 first introduced the concept of tokenization in the form of a commercial product designed to secure payment information back in 2005. Here’s how they described it:
The concept is simple: collect and store sensitive CHD [card holder data] in a centrally secure and PCI-compliant repository, assign a token to reference this CHD, and replace the CHD in all various point-of-entry and point-of-sale payment applications with this token.
But like encryption, tokenization’s effectiveness depends on when and where it occurs.
One of the radical security changes introduced with Apple Pay is that it tokenizes data before it even hits the merchant network. In fact, credit card data isn’t even permanently stored in the smartphone itself.
When you add a credit or debit card with Apple Pay, the actual card numbers are not stored on the device nor on Apple servers. Instead, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element on your iPhone or Apple Watch. Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction. (Apple)
But for now, Apple Pay is still in its infancy. The vast majority of transactional data doesn’t enter into the merchant network as a token.
Merchants do have a couple of options for tokenizing data once it is passed to them.
An in-house tokenization system can be set up to store credit sensitive info like PANs (primary account numbers) on protected database servers. This centralizes the sensitive data. Employee-facing applications like POS, CRM, and accounts receivable will then only hold the token data rather than the actual data.
The drawback of an in-house tokenization approach? It does not tokenize data transmitted over the Internet to payment processing gateways. For protecting public network traffic, encryption will still be necessary.
A second option for merchants is considering using a payment processor for tokenization services. Payment processors have an interest in helping merchants avoid credit card fraud. Providing tokenization is a service differentiator that many payment gateways are adding to their offerings.
It’s also a customer retention strategy. Tokenization provided by the payment processing service binds merchants more tightly to their provider, since retailers will need to implement hardware or software to use the services.
Payment processor provided tokenization removes the need for merchants to permanently store credit card data in-house. The token is all that needs to remain over time. Processors like Authorize.net position this as a value for retailers looking to “simplify” the achievement of PCI DSS compliance obligations.
How to secure the point-of-sale
The immediate, practical question for merchants is what to do in light of escalating fraud and changing technology.
It’s a question that The Payment Card Industry Security Standards Council has been advising on since 2006. The PCI SSC is the primary trade organization developing standards for the security of consumer credit card payment data. The council was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa.
Banks, payment processors, retail consultants, merchant trade organizations, and even the Better Business Bureau have called for merchants to observe PCI standards. 1,2,3,4,5 Compliance with PCI standards is generally considered to be a minimum threshold for POS security.
In fact some data security specialists argue that it doesn’t go far enough to require tokenization and P2PE.
But to get started, the experts agree that every retailer should at least ensure they are PCI compliant.
Businesses looking to verify PCI compliance, should take two concrete steps to take to get the ball rolling.
Step 1: Check the PCI website to see if the implemented POS software has passed the PCI’s application security validation.
Step 2: Determine if internal processes meet PCI Data Security Standards:
A high level overview of PCI standards
- Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Do not used vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a vulnerability management program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implement strong access control measures
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an information security policy
- Maintain a policy that addresses information security for all personnel
- Credit card breaches pose a significant threat to both household name retailers and small businesses
- The amount of retail fraud continues to rise
- New innovations such as EMV cards, mobile wallets, tokenization, and point-to-point encryption promise better protection
- Changing standards and new technology will require retailers to upgrade hardware and software at the POS
- PCI compliance is the recommended minimum threshold for retail fraud protection
For more information on point-of-sale systems, or to get recommendations on the best PCI compliant offerings for your needs, check out our POS software guide.