Bracing for Breaches This Holiday SeasonExperts Say Retailers Better Prepared to Fight Fraud
While security experts are predicting a significant uptick in point-of-sale attacks, as usual, during the holiday shopping season, they say retailers are better prepared to fight fraud because they've beefed up security.
The breach at Target Corp., along with the cascade of other retail breaches that followed, got retailers' attention, says Stephen Orfei, general manager of the PCI Security Standards Council. As a result, many merchants have invested more money in advanced security solutions, he says.
"The C-suite is paying attention," Orfei says. "And I absolutely think there is better transaction and point-of-sale network monitoring going on than there was a year ago, especially among the e-commerce merchants, which are being much more vigilant. Today, they are utilizing more tools like tokenization. So, I definitely think there has been an improvement year-over-year."
Josh Shaul, a vice president at security and forensics investigation firm Trustwave, says card breaches generally increase every holiday shopping season.
"We tend to see two spikes - one in December, likely those breaches that are detected quickly, and then another in February/March, those breaches that get detected on the typical 90-day timeline from intrusion to detection," he says. "We expect to see the same trend in 2014/2015. The holiday season drives a lot of credit card purchase activity, and forces the IT staff in the retail space to turn most of their attention to operations and closing out the year. Cybercriminals know this cycle well, and are set up to take advantage of it."
As hackers' perfect their techniques, retailers can expect more breaches, Orfei says.
"Naturally, the hackers target retailers during high-traffic periods, and the holidays, obviously, are high traffic," he says. "Secondly, as we're in the process of implementing EMV and that window for compromising mag-stripe data begins to close, we will see more compromises at the point of sale."
Mitigating Fraud Risks
So what should retailers, and banking institutions be doing now to brace for this anticipated uptick in card fraud?
"From the merchants' perspective, it is not as much about monitoring transactions, which they may not have the capacity to do, as it is to ensure that their payments platform is segregated from other company systems and that appropriate security requirements are adhered to," says Doug Johnson, senior vice president of risk management policy for the American Bankers Association.
Shaul of Trustwave recommends retailers conduct more penetration testing at the start of the holiday sales rush and complete a year-end risk assessment to ensure no potential vulnerabilities have been overlooked.
"Fix what you can, and put mitigating technologies like Web app firewalls and secure Web gateways in place to fill the gaps," he says. "File integrity monitoring, and other endpoint-based protections can be a huge help in dealing with threats from malware, especially targeted malware that's not widely known and isn't detected by common anti-virus solutions."
In fact, Orfei says log monitoring is a critical fraud mitigation step that many retailers have often overlooked (see Why PCI Will Issue Log Monitoring Guidance).
"Log monitoring is one of the most under-used tools that can mitigate a hack and an attack," he says. "The importance of looking at the daily logs for abnormal behavior cannot be overstated. If you see large amounts of data going to a Russian IP address, you know something is wrong. And if you were monitoring the logs, you would catch that."
Additionally, limiting remote access and ensuring third-party vendors with access to the network have strong authentication credentials also are key steps.
Retailers also should make sure they have a tested incident response plan ready for activation as needed, Shaul says.
More Retailers Deploying Tokenization
Another key step is tokenization, and retailers have made significant strides over the last year, Orfei says.
According to a just completed PCI study, more than 50 percent of Level 1 and Level 2 merchants are now tokenizing and encrypting card data before it is processed for payment. And between 20 percent and 30 percent of lower-level merchants are either using tokenization today or will deploy a tokenizing solution within the next year, he says.
For brick-and-mortar retailers, bundling tokenization with end-to-end encryption and EMV chip technology ensures data is properly devalued, Orfei adds. Most high-volume merchants are already doing this.
"I'm seeing more EMV terminals in the market now and they are taking advantage of NFC [near-field communications] transactions," he says. "And that's a huge undertaking, when you think about the number merchants and acquirers in the U.S. marketplace."
But EMV won't reduce card-not-present fraud, Orfei says. That's why tokenization has become increasingly critical for e-commerce merchants.
According to Trustwave's Global Security Report, e-commerce accounted for 54 percent of the breaches Trustwave investigated in 2013. In 2009, e-commerce made up only 11 percent of those breach investigations.
"The end game is we devalue the data so that it's useless in the hands of criminals," Orfei says.