Don't let EMV be a missed opportunity

By Gill Woodcock, Director of Certification Programs, PCI Security Standards Council

     Gill Woodcock

Hackers are increasingly attacking third party partners, like point-of-sale (POS) resellers, to break into retailers' systems through weak remote access controls. In fact, this, along with weak passwords, contributed to 94 percent of POS breaches investigated by Trustwave in 2014. In more than 400 investigations conducted by the U.S. Secret Service last year, improper payment platform setup and system maintenance were the common points of attack and compromise.

So what does this mean for you as a retailer?

Technology is only as good as its implementation. A merchant could buy all the right equipment and software, but if it's set up wrong or not updated when it should be, your business could be wide open for attack. As merchants roll out EMV chip in stores this fall, don't stop there—take the opportunity to re-evaluate the payments infrastructure. Make sure the strongest security protections are in place for both the business and your customers. 

Retailers should pay particular attention to products, processes and partners.

Products: POS software and devices

To accept EMV chip cards, merchants need an EMV-enabled payment terminal and EMV-enabled payment software at the point of sale. For the strongest security and business benefits, retailers should consider the following:

Use PCI-listed POS software that supports EMV and PCI Data Security Standard (PCI DSS) compliance.

Upgrade POS devices to get the strongest security protections and support EMV chip, point-to-point encryption and tokenization while also enabling the business for the future, including the ability to accept new types of payments, like mobile and contactless.

Consider implementing a validated Point-to-Point Encryption (P2PE) Solution to make payment card data unreadable and less valuable to criminals if stolen in a breach.    

Process: Remote access controls, passwords and patching

While EMV technology will cut down on in-store fraud, it doesn't protect a business against data compromise. People, processes and technology are the critical elements for data protection as outlined in the PCI DSS. The majority of attacks can be prevented by improving your process when it comes to managing access.

Retailers in particular are often not aware that remote access is left persistently running—that is, outside vendors have access to the system whenever they want. It's how Target suffered one of the largest data breaches in retail history.

Disable remote access until it needs to be turned on. When it is turned on, make sure it's monitored, and confirm that the service and tools used are safe—up to date and configured correctly—and security best practices are applied.

Change factory-installed passwords on your software and systems. Update these passwords regularly, and especially after outside contractors do hardware, software or POS system installations or upgrades.

Don't ignore 'fixes' in the form of software updates or patches released by your product vendors. Not installing security software updates is like having locks on the doors but not locking them. Without the latest protections against viruses, spyware and other malicious software, the door is wide open for hackers.

Partners: Qualified Integrators and resellers

You know how important relationships and trust are when it comes to doing business. Security is no different. Don't go to all the effort to move your system to EMV chip, but miss the mark when it comes to implementation and maintenance.

Be confident that your POS partner takes security seriously and looks after the critical security controls as identified. Work with a PCI-listed partner to ensure your POS system is being installed and maintained securely and in accordance with PCI DSS.

The EMV chip rollout provides a golden opportunity for retailers to re-assess payment security practices. As you upgrade technology, don't forget to take into account the people and processes involved in protecting your business and your customers.

Retailers, banks, and security and technology experts will be talking about EMV chip and POS security at the PCI Security Standards Council Community Meeting in Vancouver next week.

Related stories:
Survival tips for retailers that miss EMV deadline
Banks worried that retailers won't be ready for EMV
EMV is $35B 'money pit' for retailers
EMV update: 75% of retailers to miss October deadline