Combating Credit Card Risks

Jun 26, 2007 3:42 PM

Using a credit card at a gasoline station could pose more of a risk for data theft than shopping online, as point-of-sale (POS) terminals have emerged as a weak link in the security chain, according to a Gartner analyst as reported by IDG News Service.

When a card is swiped, POS terminals often collect and store the data held in the magnetic stripe on the back of a credit card, says Avivah Litan, a Gartner vice president and analyst. Retailers are often unaware that their POS applications collect so much information.

In the hands of sophisticated hackers and counterfeiters, the data collected from the magnetic stripe is enough to create a replica card. "It's almost more dangerous to go to the gas station than it is online," Litan said at Gartner's Identity and Access Management Summit in London. "The data is just sitting there. No one even thought about what data is on a POS controller."

Retailers' network configurations are partly to blame. Many are using the Internet to transmit data in place of dial-up networks, and many have incorporated wireless access points into their networks using WEP (Wired Equivalent Privacy), Litan says, which is not considered a strong form of encryption.

Hackers lurk in parking lots looking for weak networks to penetrate. Since the POS terminals are linked via IP, once a hacker has accessed a network they can try out neighboring IP addresses until they locate a store of data, Litan told IDG News Service.

Data breaches that occur offline are common. Of 160 breaches investigated for one major credit card brand, 128 took place in the brick and mortar world where the card was physically present for the transaction, rather than being used online or over the telephone, according to Gartner.

To strengthen security, card brands such as Visa and Mastercard are pressuring retailers to comply with the Payment Card Industry (PCI) Data Security Standard (DSS), a code of best practices created by the card industry. The standard forbids the storing of magnetic stripe data on POS terminals, and Visa plans to start fining retailers in the coming months if they don't comply, according to Gartner.

Implementing security is cheaper in the long run than having a data breach, which can be expensive and hurt a company's reputation. Gartner calculates that a data breach costs companies around $300 per exposed account because of investigations, fines and lawsuits. On the other hand, beefing up security costs around $16 per account for the first year, and that cost falls over time, according to Litan.

The short-term forecast for POS security doesn't look great, however. Gartner predicts that by next year, most attacks against retailers will be directed at their POS terminals, and only 30 percent of POS software will be compliant with the prevailing security standards by 2009.

At least one U.S. state has already taken the legislative route in its fight against identity theft. In May, Minnesota became the first to enact the PCI DSS into law.

"The U.S. states, because of a number of lawsuits going against some of the big retailers, are looking at what needs to be done (about the issue)," says Mary Kirwan, a Canadian IT security consultant.

The massive data breach suffered last year by retail giant TJX, in which credit card data of millions of its customers were stolen by a hacker, has prompted many governments to take action to increase the protection of personally identifiable information.

Many U.S. states are expected to take Minnesota's lead, Kirwan says. "Right now, the approach in the U.S. in some cases is to make this a problem of the retailers, and I am not sure at all that that's necessarily the way to go."

Attempts are also being made in the U.S., however, to enact privacy legislation at the federal level. That would provide consistent protection as well as a common framework for securing data, Kirwan says.

"If you have different laws in every state, it will be extremely difficult to [be compliant] and I think that is a situation we want to try to avoid here [in Canada]," she says.

Despite its applicability, however, the PCI DSS was designed for the payment card sector and many of its provisions apply only to organizations with cardholder data, says Simon Tang, security and privacy partner at Deloitte's Toronto office.

"If you talk about physical security, it goes into specifics as to how you should be shredding paper. Sometimes it's very difficult to generalize that requirement to other companies because it depends on their data classification," Tang says.

The following are among the 12 requirements under the PCI DSS:
-- Install and maintain a firewall configuration to protect cardholder data
-- Do not use vendor-supplied defaults for system passwords and other security parameters
-- Protect stored cardholder data (highlighting encryption as a critical component for protection)
-- Encrypt transmission of cardholder data across open, public networks
-- Use and regularly update anti-virus software or programs
-- Develop and maintain secure systems and applications
-- Restrict access to cardholder data by business need-to-know

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue