Practical Attack on POS HacksIndustry Response to Merchant Security Gaps is Positive Sign
Much has changed in the payments space since 2009, and some for the better.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Think back three years ago, when Heartland Payment Systems suffered the massive payment card breach that almost shuttered the business.
Most POS network breaches can be traced back to remote-access portals, which are too often left open or are inadequately secured.
More than 130 million cards were exposed as part of a five-year cybercrime spree orchestrated by the now notorious hacker Albert Gonzalez.
The incident called into question a number of industry practices, and it raised serious concerns about the efficacy of the Payment Card Industry Data Security Standard, which at the time was still in its infancy.
Fast forward to 2012, and think about how far we've come, and how far Heartland, the PCI-DSS and the Payment Card Industry Security Standards Council have all come as well. In fact, both Heartland and the council are now spearheading separate initiatives to improve payments security right at the source - the merchant.
Two Hands-On Answers
The PCI Council has just announced the launch of a new training program that directly addresses ongoing security flaws at the point-of-sale. This new Qualified Integrators and Resellers Program is probably the most practical program I've ever seen the council develop.
It's designed to educate and train POS device and system integrators and installers about the nuts and bolts of PCI compliance, emphasizing the roles they play in POS security.
Bob Russo, general manager of the council, says the QIR program is the industry's response to breaches that have resulted from poor POS installations, which can leave remote access portals vulnerable to attack.
Although different today than they were back in 2009 - when Gonzalez used war-driving techniques to tap into Heartland's network, exploiting open Internet connections merchants used for processing - the vulnerabilities are similar. Recent POS attacks at merchants through the United States, from Michaels to Subway and Penn Station, highlight the card-security risks posed by outdated POS devices, software and default pass codes.
In fact, Russo says most POS network breaches can be traced back to remote-access portals, which are too often left open or are inadequately secured.
"Often this can be tied to one simple element: not resetting a factory default on certain equipment," he says. Through the QIR program, the council will share best practices about vulnerabilities that must be addressed during the installation of devices and applications."
And it's not just PCI. Heartland, too, is taking a hands-on approach to merchant security, and is setting an example other processors will likely follow.
Not only is Heartland taking steps to educate its merchants about POS and payment card security, but it also is assisting those merchants with post-breach investigations and POS hardware and network upgrades.
In the wake of recent breaches at two Heartland clients - Penn Station and a locally-owned Mexican restaurant in Winchester, Ky. - executives at Heartland say they decided it was time for a proactive approach (see Heartland Takes Aim at POS Fraud).
Heartland is stepping in after breaches, overseeing investigations and even upgrading willing merchants to its E3 POS system -- a hardware-based end-to-end encryption technology that removes the merchant from the process of managing encryption keys locally.
Taking that key management onus off the shoulders of the merchant simplifies the process. It makes sense, and is something more processors should be doing, and could have been doing a long time ago.
As John South, Heartland's chief security officer, rightly points out: Merchants need assistance.
"Their specialty is not in securing networks," he says. "And many have little or no experience in installing hardware or software to do that."
And, like Russo, South says remote access is the greatest worry. "Statistically, right now, remote-access capabilities, for whoever installs the system, are posing the greatest threat," he says. "Card skimming is still a problem, but it's just one of several ways that card data can be attacked."
I commend both the council and Heartland for the steps they've taken here. They identified a problem and came up with direct ways to address it: Good for them.