Following last week’s breaking news that U.S. retail giant, Target, was hit by a huge data breach, security experts commented:
Enter: Michael Sutton, director of security research at Zscaler
"Why do we keep hearing about this? Because criminals go where the money is. Typically, criminals steal credit card information and then sell it. There's a very elaborate economy built around this type of crime. That's a very valuable asset that can be obtained completely through remote Internet access. There's not a great deal customers can do, other than take the necessary steps, like changing passwords, credit card numbers if they have been informed of a breach. Beyond that, they can take proactive steps like shopping with reputable vendors. Then again, here we are talking about one of the largest retailers in the United States. No one is immune"
Enter: Mark Bower, a vice president at Voltage Security
“Unfortunately this massive breach is a reflection of the times we live in. The size, scale and coordination required for this attack illustrates the lengths that attackers will go to steal valuable credit and debit information including card track data and CVV codes – the ultimate prize. Typically there are two points in the retail chain where attacks typically take place – the POS or the payment switching back end. POS systems are often the weak link in the chain and vulnerable. They often run a standard OS and are thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider. In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable to malware compromise impacting massive amounts of cardholder data, as we see here with Target. If this breach was further up the chain, perhaps in the authorization and settlement switching systems in the retail back end, then the track data and CVV codes should never have been stored – even if encrypted. There’s no need, and It’s forbidden under PCI DSS, yet sadly still happens.
The good news is that there is a way to prevent this very efficiently. Savvy retailers are already tackling this risk and fighting back by giving the malware nothing to steal. Point-to-point encryption (P2PE) from the instant the card data is read, also called end-to-end encryption, addresses this risk by encrypting all the payment card data before it even gets to the POS. If the POS is breached, the data will be useless to the attacker. Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don't like stealing straw. We've helped thousands and thousands of merchants along with their payment gateways and acquirers to embrace this approach using new powerful techniques with no impact on the retail process, yet practically eliminating the possibility of an attack like that Target is dealing with today. And with EMV on the horizon to make it much harder to counterfeit physical cards from stolen data, and with P2PE and Tokenization to protect the card data in the retail flow, merchants can turn the tables on data breaches in a major way. With the significant reduction in the cost of PCI compliance, there’s also an ROI to justify it in addition to avoiding the cost and complications of remediating 40 million breached cards as in this case”.