Home Depot. Mandarin Oriental. Staples. What do these three brands have in common? All three have suffered significant losses thanks to security breaches affecting their Point of Sale (POS) systems – with Home Depot reporting initial losses of $43 million in 2014 and Mandarin Oriental seeing hackers harvest customer credit card data from the POS systems at some of its 45 hotels.
Such breaches are becoming increasingly common. In fact, while the big names and their gargantuan losses grab the headlines, smaller retailers and hospitality firms are most likely to be affected.
The Ponemon Institute’s Cost of Data Breach Study estimates that the average cost of a POS security breach is $3.5 million – more than enough to bring a small or medium-sized business to its knees.
So what is making POS systems so vulnerable to attack?
Unsurprisingly, the credit card data stored – albeit briefly – by such systems is highly valuable for hackers. On top of this, many companies are more or less handing them the tools to do so by failing to arm themselves with adequate protection.
Take, for example, the question of operating systems. Windows XP is still widely used by businesses with POS systems – including some of the world’s leading high street fashion retailers. What might seem like an arbitrary choice in fact leaves the field wide open for hackers.
Attackers don’t need special technical knowledge to target theses POS machines: it’s fairly straightforward to repurpose Windows malware to suit their needs without having to worry about new fixes for viruses and malware being launched.
There are multiple issues underlying companies’ reluctance to upgrade the operating system on their POS terminals. To begin with, carrying out such an upgrade across hundreds, thousands or hundreds of thousands of geographically dispersed terminals is a time-consuming process with great potential to disrupt business operations.
Secondly, it’s not always a simple matter of upgrading the software: many POS systems have not been designed with OS upgrades in mind and would have to be replaced entirely for such a change to take place. Replacing an entire POS system – all the tills, terminals and card readers across the entire business – represents a huge cost attached to an even bigger disruption factor.
In the US, this matter is further complicated by the fact that most companies are still not yet compliant with the EMV standard. Based on chip and PIN technology, the standard – which has already been adopted in other regions around the world – has seen slow take-up in the US – and it’s easy to see why.
Compliance entails an overhaul of the entire credit and debit card infrastructure – from banks and the cards they issue, to retailers and their POS systems, through to consumers and the cards they use. With such a big change to prepare for, few companies will be prioritising any other changes to their POS infrastructure.
US merchants now only have until October 1, 2015 to integrate EMV readers into their POS systems. Once the deadline passes, those who do not install the readers will be held liable for fraudulent charges from magnetic stripe card data.
> See also: Getting ready for a mobile payment world
The US has been slow to take up chip and PIN, thanks to a combination of retailers’ reluctance to bear the cost of upgrading and indifference from consumers who are not held financially liable for fraudulent charges. It is thought the new legislation will provide the impetus many retailers need to get their systems upgraded from the now-unsupported XP.
In Europe, where the EMV standard is already well-established and POS systems tend to be more mature, the issue has a slightly different flavour. While most companies have a rigorous process for running security patches on their office computers, maintenance on their POS systems can be decidedly sketchy.
Sourced from Jim Bezdan, 1E