October 7, 2014
100 Businesses Breached in One Attack
It seems like we’re hearing about a new major card-data breach on an almost weekly basis. It’s both incredibly frustrating and incredibly sad to see millions of people paying the price for businesses’ failures to adequately secure their data. What’s even more concerning is that it’s happening so often that we’ve heard people say, “Breaches are just part of the cost of doing business these days.” This is absolutely not true. Security technologies do exist that can protect merchants (and consumers) from the attacks that are becoming more common.
While the majority of the recent major breaches have all used memory-scraping malware to capture card data as it enters the point of sale (POS), the methods used to install that malware have varied from case to case. At least two, though, have stood out as unique. In those attacks it wasn’t the company that was breached directly, it was a trusted vendor. For Target, it was an HVAC contractor whose Internet-connected heating and air conditioning equipment allowed hackers access to Target’s network. And for the recently announced Jimmy John’s breach, it was actually the POS company that was breached. With stolen credentials, these cybercriminals were able to remotely update Signature Systems’ POS to add memory-scraping malware.
This POS security failure resulted not only in 200+ Jimmy John’s locations falling victim to the breach, but also another 100+ smaller restaurants that were using the same POS system. Many of these were local restaurants and bakeries, rather than national chains. We hope these smaller organizations will be able to bear the financial costs of the breach and the brand damage they may incur as a result of their POS company’s security failure.
What do we learn from these two examples? That we can’t rely on other organizations to be secure. This is another reason that point-to-point encryption (P2PE) and tokenization are so important. With these solutions in place, card data never would have reached the POS, leaving the hackers with nothing to steal. It is also a great wake-up call to POS and property management system (PMS) manufacturers on the unprecedented need to build support for Shift4’s security technologies into their systems.
Payment Card Industry Data Security Standard (PCI DSS) Requirement 12.8 says that merchants are responsible for managing any service providers that will have access to cardholder data. Wouldn’t you prefer to work with a POS/PMS vendor that cares enough about your business to invest in the very best security? If your POS or PMS developer has been slow to add support for TrueTokenization® or P2PE, this might be a good article to share with them. The development costs for them to add support for P2PE and tokenization would be miniscule in comparison with the potential liability of a class-action lawsuit if they faced a breach.
If you’d like our help in approaching your POS/PMS manufacturer and encouraging them to support TrueTokenization and Shift4’s P2PE solution, email [email protected] and we’ll be happy to work with you.