A Weak Payments Link
Seattle Hack Proves Payments Chain Security is BrokenThe payments chain is only as secure as its weakest link. Not a surprising revelation, admittedly, but one about which we must be constantly reminded.
Let's take a look at the hack of Broadway Grill in Seattle. The October cyber attack, which was initially suspected of including only a handful of hits to merchants in Seattle's Capitol Hill area, has now been linked to an overseas cyber operation.
Federal authorities believe that in a single day, one hacker targeted only Broadway Grill after accessing a server in the transaction process that housed cardholder and account information. The hacker allegedly made his way to the server after breaking into the restaurant's network. That connection from point A to point B compromised the chain.
It's a domino effect -- one that could not have been prevented by compliance with PCI or even the EMV chip & PIN standard. As Tom Wills, a fraud analyst with Javelin Strategy & Research, explains it, "This incident shows us simply that security in the card payments system today is inadequate to meet the techniques that criminals are now using."
In a nutshell, "Hackers will always to go the weakest point in the system." Just securing a part of the system or chain doesn't stop the fraud.
One link in the chain could comply with PCI, for instance, but if security is not integrated across the enterprise, throughout the system, that single link's compliance won't really matter. And what about compliance with EMV? Well, EMV secures card data -- preventing it from being skimmed in the way card data can be copied from a magnetic stripe. But if the POS system is not protected and/or does not encrypt cardholder data transmitted to the acquirer, it leaves a security gap that's easy for today's high-tech cybercriminals to slide through.
"EMV would not have prevented this attack," Will says, "since it was targeted against a merchant's back-end systems, where card data has already been captured." Encryption between the retailer's system and the acquirer may have prevented the attack. But Wills is quick to add that even encryption might not have made a difference, "since we don't know whether the hacker used a log-in mechanism or intercepted the communications channel to retrieve the card data."
There are almost too many channels and gateways to think about.
Still, it's no secret that merchants are often the most vulnerable to attacks. And restaurants, well, they tend to be the worst when it comes to payments security. They definitely could benefit from cybersecurity education, and perhaps it's the job of banks and credit unions or the acquirers to spearhead that education. After all, when a breach occurs, it's the financial institution and its cardholders who bear the weight of the blow.
Wills says so-called siloed systems are usually to blame, and the only effective way to secure the payments chain will come from the development of global standards for end-to-end encryption. I agree. Enterprise-level management and full channel integration would help. It's something I'm hearing more about, and it's not impossible to accomplish -- but it is expensive.
Banks and credit unions have talked about enterprise-level security for some time, but I don't know that most entities connected to the payments chain -- at least on the merchant side -- are thinking along those same lines.
Yet, as this latest incident in Seattle clearly shows, merchants should be re-evaluating their thoughts.