Credit card breaches at retailers have become a regular and accepted occurrence over the past few years. Companies of all sizes that process credit card payments are vulnerable and organizations are looking for the best way to protect themselves, and their customers. Improved technology for point of service devices, along with common sense security measures, can greatly improve security and reduce opportunities for hackers.
Hacking and malware remained the leading cause of data breaches in the retail industry through the third quarter of 2016– accounting for 53% of data breaches – according to the latest Beazley Breach Insights report. Retailers need to process transactions, and hackers aren’t going away, making increased security an imperative for all retail businesses.
Let’s get to the point
The solution to persistent hacks against retailers can start with the devices customers use to complete credit card transactions. Point of sale systems come in several forms and the most common used systems leave cardholder data vulnerable for a split second before encryption. These software-based terminals relying on encryption software to protect payment card information are generally called “end-to-end” encryption.
While end-to-end encryption still leave data vulnerable, more secure technologies encrypt data to ensure that payment card numbers are never accessible in a plain text, un-encrypted, format. These “point-to-point” point of sale terminals encrypt data through their hardware removing the opportunity for hackers to capture card data. Once the card is swiped at the card reader, it is delivered directly to a third party payment processor’s environment— no card data is ever stored in plain text on the retailer’s system.
The point-to-point technology is preferable to software encryption that still leaves points of vulnerability between systems. In addition, costs for qualified a security assessor, if needed, can be lower if a company employs a payment card industry approved point-to-point encryption system.
Not just money is on the line
The costs of credit card breaches can increase exponentially over time. Target, one of the first national retailers to fall victim to a sizable credit card breach, at one point estimated their direct breach-related costs at $252 million. Expenses included digital forensics investigation, legal counsel, credit monitoring offerings, increased staffing for their customer call center, regulatory defense and ongoing litigation. However, this figure does not include any related loss of sales or diminished consumer reputation following the breach.
Investing in more secure technology
Upfront costs for employing point-to-point encryption technology often discourage retailers from installing new point of sale technology. The cost to switch to a point-to-point terminal can range from $200 to $500 per terminal. But, these costs are minimal compared to the fallout from a potential card breach. For instance, the cost to upgrade card readers for a national retailer with 2,000 locations and 30 registers at each store, at $500 per terminal, would be $27 million. The total investment would be just about 10% of the cost from Target’s 2013 breach, not including additional costs and expenses related to the breach.
Managing retail risks
Updating terminals to point-to-point encryption helps keep important payment information from being exposed to criminals, but there are a number of additional actions retailers can also take to reduce point of sale hacking vulnerability.
Schedule regular monitoring to look for replacement cables or the attachment of additional equipment to point of sales terminals that may indicate skimming.
Be on the lookout of anything out of place, including missing labels or additional materials attached to the machines. Criminals have been known to hide cameras in false ceilings above pin pads, boxes used to hold leaflets and even charity boxes next to PIN Pads.
Take photographs of terminals and record the make, model and serial number of all point of sale equipment. Detail how each device is connected, including the number of leads, plugs labels and cable colors.
Properly dispose of all equipment that is being replaced by erasing all data, clearing the memory and removing tags and other business identifiers.
Train staff and have a policy in place that allows staff to report inappropriate contact by criminals, including the ability to report senior management anonymously.