The threat landscape, then, shifts from point of sale to the payment life cycle and the applications merchants run in their online environments. Many criminals use malware, spear phishing, and social engineering to steal employee identities and gain access to the environment.
The security concern is not limited to fraudulent credit card use but extends to the critical data the company collects as well. As more merchants collect and store data to personalize the customer experience, that data becomes more valuable and vulnerable.
Nir Polak, CEO and co-founder of Exabeam, said “Hackers are like water. They will find the crack and go through it. There is not a place on your network that is not vulnerable.” The holiday season impacts the vulnerability of the enterprise because many security teams are stretched too thin, but the threats exist year round.
“Hackers are breaching the networks of retailers and e-commerce brands using stolen employee credentials,” Polak said. “We have uncovered hacker using valid credentials to log on to a self-checkout POS system of a major retailer and make a connection with 1,700 POS systems.”
One problem is, there are still legacy systems that must see the card in the clear. Polak said, “Companies need to put an open door somewhere to see the credit card, for charge backs as an example.” Some criminals even go after the credit card processors.
Though EMV chip technology solves someone putting malicious code on the point of sale itself, “The credit card number still has a life cycle when it leaves the point of sale,” Polak said.
Throughout the payment life cycle, there are several places for criminals to find data, whether it’s printing coupons at point of sale or handling charge backs. “There are many situations where the retailer needs to have access to the full credit card number to conduct disputes and provide refunds,” Polak said.
Polak said, “There may be some situations where a token may suffice to handle disputes and refunds, but that really depends on the credit card processing company and retailer relationship as well as the tokenization technology in place.”
It’s a lot easier to make fraudulent charges online because users need to enter a full 16-digit credit card number. There is no encryption around saving that data.
Security professionals need to be able to detect threats, and Travis Smith, senior security research engineer at Tripwire, said there are a lot of variants of malware that steal data out of memory.
Hardening the environment for online merchants and looking for critical system files that are being altered are two ways that enterprises can work to mitigate threats and minimize risk.
Sign up for MIS Asia eNewsletters.