Point of sale credit card data breaches are again in the headlines. The Hard Rock Hotel & Casino this weekend finally admitted to a previous data breach and a new Sally Beauty retail breach, the second this year, was reported by Brian Krebs. Experts from Tripwire and HP Security Voltage commented on these Latest Retail Data Breaches.
Ken Westin, senior security analyst, Tripwire (www.tripwire.com):
The fact we continue to see retail breaches even after some of the mega breaches over the past year indicates two things. First, attackers are adapting their methods and the sophistication of their tools. Second, many retailers have yet to invest in detection and haven’t yet adapted their defenses to detect these very real threats.
The retail industry as a whole needs to move to point-to-point encryption (P2PE), which can come at a heavy cost because it often requires an overhaul of existing payment systems so this is not something that will happen quickly.
Point-of-sale malware continues to evolve and most families of retail malware can evade basic security controls. The initial points of intrusion remain fairly constant; either attackers leverage exploits against known vulnerabilities or successful spear phishing campaigns. Both the intrusion and the malware components can be better detected by taking a layered security approach, monitoring endpoints and the network itself closely for anomalies and indicators of compromise specific to retail breaches. These include configuration changes, unauthorized processes, credit card data appearing on the file systems, RAM or anywhere outside the PCI environment.
George Rice, senior director of payments, HP Security Voltage (www.voltage.com):
Sally Beauty experienced two breaches within a short period of time. It is entirely possible that Sally Beauty never fully eradicated the malware on their POS from the first time. Point-to-point encryption would have entirely mitigated the risk of malware existing their payment environments. Using Format-Preserving Encryption allows retailers to adopt P2PE technologies without changes to upstream systems, which make P2PE implementation much simpler than in the past. Because of the looming EMV mandate, many retailers have already upgraded their devices to one that support format-preserving P2PE.
<In the Hard Rock and other hotel situations> “The consumer is somewhat powerless here and must rely on the hotel’s data security to prevent their card information from being stolen. Most hotels require a card on file so cash is not a good option (and we wouldn’t want to suggest this anyway). PIN debit can protect that one transaction but not the PAN which could be used elsewhere without a PIN…and I’m not sure that PIN debit is commonly accepted at hotels anyway. EMV is not going to prevent data theft and is not (yet) a requirement in the US. Payment tokens could help but to my knowledge are generally not accepted at hotels.
It’s in every consumer’s best interest to review bank statements and credit reports carefully and regularly.
