Security Breaches Have Merchants Thinking About EMV and Other POS Security Concerns
Technology and payment processing company TouchSuite is the latest company to announce a security solution for POS systems as merchants continue to worry about data breaches reported at major retailers. TouchSuite’s new EMV security chip is being released over a year before the federally-mandated liability shift set for October 2015.
“The upcoming EMV liability shift is something that will affect every single merchant that accepts credit card payments, yet there is a great level of unawareness about how its ramifications can impact business owners, especially amongst smaller merchants,” said Sam Zietz, CEO of TouchSuite, on the company’s official blog. “By beginning to offer EMV-certified terminals in a secured infrastructure more than a year in advance of the deadline, we hope to help small and mid-size businesses avoid the inevitable rush to migrate, which will no doubt center on larger retailers and chains, and leave smaller merchants scrambling for support and facing devastating transaction liability.”
EMV (Europay Mastercard Visa) is a new type of payment system for the US that is designed to supplant traditional American credit cards. Used in other parts of the world for years, the new system requires the installation of a processing system capable of reading an EMV chip.
Some experts are predicting that delaying the switch-over until October 2015 could cost the US millions of dollars due to fraud. Also, American businesses are already missing out on countless foreign transactions as European financial institutions are currently skeptical of American credit card transactions. Often these transactions are denied. This leads to many instances of a valid customer with a valid credit card getting declined simply due to the current environment.
Taken together, the continued potential for fraud and general skepticism from European banks seem to cry out for a more immediate switch.
Making the Switch
As part of the shift in October 2015, responsibility for losses on magnetic stripe cards starts falling on merchants; a serious motivation for merchants to begin using the EMV system. In a recent report, Julie Conroy, the research director for the Aite Group, speculated that as merchants switch their POS systems over to EMV, fraud would shift over to ATMs and eCommerce – referred to as card-not-present transactions.
Ecommerce vendor Shopify has announced that it will be making the switch ahead of the October 2015 deadline. But even with the switch to a more-secure system, there will still be opportunities for fraudsters, both at the IT level and at the physical level. Speaking with Information Week’s Dark Reading, Chris Strand, director of compliance for security firm Bit9, said that a POS system may be the weakest link in the chain, as was evidenced by the recent Target security breach.
“This is a common type of attack that we’re going to see more and more prevalent because the attackers will take the path of least resistance, and, in this case, they’re realizing that these POS systems are not protected from a vulnerability perspective,” Strand said. “The fact is that the current security mechanisms they’re using to guard the internals of these POS systems is vastly inadequate to protect the inner systems and software running on these things.”
Proactive Security and Response Plans
Merchants looking to guard their transactions and customer data should embrace the upcoming EMV shift, but it’s also necessary to take steps at every level of the transaction system.
Businesses should perform their due diligence when working with a cloud vendor for their financial transactions and customer information. The vendor’s security system should be explained in the service-level agreement and merchants should perform regular evaluations to make sure information is being secured as described. Ahead of selecting a cloud vendor, merchants should look at the company’s standing and current client base.
In addition to facing breach of cloud data, vendors should make certain that they are enacting security protocol on premises. Vulnerable customer information is often held in mobile devices and flash drives that can quickly become lost or stolen.
Companies with employees who take devices with them should be sure those devices are effectively secured. Every mobile device ought to be secured with passcodes and any external hard drives should be encoded and password-secure. Mobile devices can also be remotely erased if necessary, but these steps must be set up proactively.
Despite these precautions, a security breach might still happen and a company should have a plan in place for when a breach does occur. Many public relations experts recommend coming clean about what happened despite any damage it may cause to the company’s image. If a company does try to hide a breach and numerous fraud victims trace the source of their problems back to one business, the businesses could be in bigger trouble that if they had simply come forward in the first place.
While an aggressive, transparent, and honest approach to handling a security breach won’t solve every problem, it can go a long way to keeping a company in business.