American high-end fashion retailer, Vera Bradley, revealed yesterday that it is investigating a payment card breach that may have affected cards used at the retailer’s stores between July 25, 2016 and Sept. 23, 2016. The company said law enforcement alerted them on Sept. 15, after which it enlisted help from a computer security firm. The findings show there was unauthorised access to the company’s payment processing system, in which a program was installed that looked for payment card data, including cardholder name, expiration date, card number and internal verification codes. George Rice, senior director, payments at HPE Security – Data Security commented below.
George Rice, Senior Director, Payments at HPE Security – Data Security:
“Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. Unfortunately, POS systems are often the weak link in the chain — they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data. We support the adoption of EMV technologies in order to address this particular threat vector and incrementally harden the overall payments ecosystem. Unfortunately, EMV transaction security ends there. We all must recognise that EMV does not protect payments data in transit from the acceptance point to the card networks. The sensitive card-holder data contained on the card remains vulnerable to theft once it leaves the payment acceptance device.
Any businesses using POS systems can avoid the impact of these types of advanced attacks. Proven methods, such as Format-Preserving Encryption are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.