By Sushila Nair, Security Specialist, BT Global Services
In the days leading up to Thanksgiving 2013, the shops were buzzing with people as they searched for the year’s Christmas gifts; queues formed, barcodes scanned and receipts fed from the till. Little did anyone know, malware had been installed in Target’s 1,797 stores and was capturing customer credit card numbers as they shopped, blissfully unaware.
When it all hit the headlines, the Target breach triggered an interesting debate. People asked why there is a lack of chip and PIN in the US and also, what the future is for payment security.
But this conversation isn’t entirely relevant; after all, hackers gained access to Target’s network through stolen credentials taken from a heating and refrigerator contractor, then placed malware on the POS devices and stole card data, without using chip and PIN. Card present transactions are only responsible for one third of all card fraud; the majority of breaches are actually down to card-not-present activity.
Even so, US credit card companies have set a deadline for merchants to implement new payment terminals for chip and PIN cards (though it’s unlikely that most vendors will meet the October 2015 deadline). On top of this, most consumers in America do not have chip and PIN cards and it’s believed that only 20 to 30 per cent of cardholders will have new cards by the deadline either.
The Target breach is not a story of chip and PIN security, but supply chain security — chip and PIN wouldn’t have prevented the breach. On top of this, payment methods are moving away from cards altogether and making their way towards mobile payment technology.
So, chip and PIN clearly isn’t the only answer. There’s no single solution to the complex problem of security. Chip and PIN or supply chain security won’t make the problem go away. The real challenge is understanding your risks and putting in appropriate controls. Only by doing this can you truly prepare your organisation to face any potential threats. The National Institute of Standards and Technology (NIST) has released guidance around supply chain security suggesting that it has been recognised as an essential part of cyber security because it reduces the risk of software and equipment being compromised at their source.
Depending on the value of the information on your network and the cost of the breach, a vendor risk assessment is generally a wise move as well. Monitoring third party connections and two factor authentication should be required to gain access to restricted networks. In addition, vendor credentials need to be secured by passwords with due diligence and ethical hacking and prevention testing are a critical part of understanding if your network parameters are really secure.
The Target breach has awakened a question about the relevance of chip and PIN, but I also wonder — with the emergence of mobile payment technology — if we’ll be using brand new payment technology before chip and PIN can be successfully implemented across America. This may come as a blessing for banks and vendors who’ve spotted the price tag of overhauling their complete network of payment systems.
What’s your point of view on chip and PIN and the future of payment security? Head over to our social channels — follow us on Twitter, Facebook or LinkedIn to get involved in the discussion and share your thoughts.
