Until security on retail point-of-sale (POS) systems becomes pervasive, the data breaches that affected Target (NYSE:TGT) late last year and P.F. Chang's just this month will continue, security experts say.
P.F. Chang's security compromise appears to follow the same approach that attackers leveraged in the massive Target breach, in which POS machines with traditionally weak security were targeted, Philip Casesa, director of IT/service operations for security education group (ISC)2, told eWEEK.
"Large retailers maintain centralized connections to these machines for updating, and an attacker can exploit that to distribute malware efficiently and collect large swaths of magnetic stripe data from the cards," Casesa said. "Without proper detection of this malware on the retailer's part, these breaches can run almost unfettered until the attackers have enough or their exploit window is somehow closed."
Because retailers and restaurants have proven to be vulnerable targets, the attacks will likely continue, according to Dwayne Melancon, chief technology officer at Tripwire. "A lot of retailers don't have information security as a core competency within their organizations, which means some of them are easier targets," Melancon said.
One way retail IT executives can ward off attacks is by truly understanding PCI compliance. "In today's payments environment, the merchant is ultimately responsible for securing the payment data their business handles. Unfortunately, merchants often rely on point-in-time, compliance-driven security, with their only goal being to pass their annual PCI DSS audit," ngenuity journal wrote.
Retailers that focus only on passing a PCI audit are missing the whole point of the exercise, which is to validate that they have all applicable security measures and processes in place to protect themselves and their customers. "The problem with a compliance-only mindset is that compliance is a view of security controls at a particular point in time. Therefore, it's possible for the state of those security controls to change even hours after a merchant's PCI DSS audit is complete and the Report on Compliance (RoC) is signed," the article stated.
Truly ensuring data security involves an ongoing set of processes that includes assessing threats, addressing vulnerabilities and remaining vigilant. If the merchant shows their Qualified Security Assessor (QSA) that ongoing compliance tasks are occurring and then stops performing one or more of those tasks after the audit is completed, the merchant has fallen out of compliance and is susceptible to a data breach.
Will PF Chang's data breach speed EMV?
Shoppers stop buying online after breaches
Target gets serious about its digital transformation
EBay hit in cyberattack, 112 million user accounts compromised
EMV migration won't save retail