As a security professional, I work with companies of all sizes helping them sort through the realities of how best to protect payment information and themselves from a security breach. It never ceases to amaze me that so many companies look only to meet their compliance requirements (Payment Card Industry [PCI] for example) and never consider that their networks remain highly vulnerable to compromise. Enter EMV technology, and once again, so many business owners are already thinking that this will absolve them from having to do little more than implement the new technology and they’ll have met all of their security needs and compliance requirements.
Good security measures require a layered approach and to date, no security technology or services company has come up with “the” silver bullet. There are simply too many ways a hacker can compromise a system. As it relates to EMV and the mandate to implement new readers and systems, every business needs to understand a few harsh realities before concluding they are safe from attack.
To provide some perspective, consider that the U.S. is late to the game in implementing EMV. EMV has been used in Europe, Asia, and other parts of the world for many years now and still, the rate at which business of all sizes are being hacked hasn’t changed much. Although the transaction is authenticated with a certificate by way of the chip, the data is still transmitted in plain text, offering rich reward to hackers who get to the data by compromising other devices or services running on the business network. EMV won’t do much to prevent a cyberattack. It will make it a bit harder to use the card holder data that’s gathered, but certainly not impossible. Since gathering the cardholder data is not labor intensive, the rate of attacks will likely remain steady, if not increase.
EMV terminals are prone to tampering. A few years ago, a man disguised as a point of sale (POS) technician walked into a fast food chain in Canada and advised the staff he was there to fix the terminal. He had a replacement device, which was actually a skimmer that he put in place while he took the hand held terminal to “fix the faulty device.” A few hours later he came back to pick up the skimmer, which had already collected information from hundreds of cards. This scenario illustrates why it’s not only important to have broader network security, but also to communicate security awareness throughout the company. Most large breaches have involved relaxed network security and remote access, allowing criminals to inject malware onto terminals and remotely intercept card data.
While EMV technology is a step in the right direction, EMV systems are just as susceptible to a breach and provide no safeguard from a hacker taking stolen data and using it to make online purchases. As for the card brands themselves, they see any stolen data as just that — stolen data! That means a merchant could still be liable for all card replacements costs, potentially subject to fines and penalties, and possibly lose its ability to accept electronic payments until the results of an audit have been concluded. Sixty percent of small to mid-sized business go out of business within the first year following a security breach. They simply aren’t able to weather the consequences.
While this may sound too gloomy or overwhelming, the good news is that there are solutions on the market offering enterprise-grade security by way of a subscription service. They provide network security and more specifically, protection of electronic payments and other information such as patient or personal data. Managed security service providers (MSSPs) that have expertise in areas such as PCI DSS (Payment Card Industry Data Security Standard) are able to add a layer of protection around the EMV devices themselves to ensure that devices are not swapped or tampered with and have the ability to provide other services such as secured Wi-Fi, content filtering, VPN (virtual private network) services, and much more.