July 1, 2014

Are Constant Breaches the New Norm?

Are Constant Breaches the New Norm?

Target, Michael’s, Neiman Marcus, White Lodging, and now P.F. Chang’s. It seems like every month there is a new, major data breach making headlines. In the most recent case, P.F. Chang’s appears to have been compromised for close to nine months, and experts say more than seven million card numbers may have been stolen.
In the weeks after their announcement, the restaurant chain reverted to processing card payments using the old carbon imprinting (knuckle-buster) machines, which led to speculation that they may have been dealing with a new piece of malware that the experts hadn’t seen before and weren’t sure how to stop.

At this point, it’s all still speculation. We can’t say with surety what the attack vector was or what security technologies may (or may not) have been in place at P.F. Chang’s. What we can tell you is that this trend of large-scale attacks shows no signs of slowing down.

A Growing Problem
In the wake of the Target breach, the FBI issued a memo to major retailers warning them that attacks on POS systems would likely increase in the near future – in spite of law enforcement’s best efforts.

We can also tell you what we learned from our friends at Coalfire® labs (a leading QSA firm). Late last year, they were at a conference where the U.S. military presented on cyber security. The military officer giving the presentation told attendees that they now assume that all networks are flat. That essentially means that the U.S. military assumes that all of their networks have already been compromised and that our enemies can see any information we post there in an unencrypted state.

While the fact that it has come to that is terrifying from a political perspective, from a security standpoint it’s actually a good practice. If you assume that hackers are already in your environment, would you be more careful in what data you allow to flow through your networks? Would you ensure that everything was encrypted or tokenized? Of course you would, and that’s the point of us sharing this information with you.

A Logical Solution
Much of PCI DSS is focused on keeping your networks secure and limiting access, but – as we have clearly seen in the last year – that’s not working. Shift4’s security technologies focus on removing the sensitive data from your environment so that there’s nothing for the hackers to target. After all, “They can’t steal what you don’t have.®

So the question for you is simple: are you taking advantage of all of the security capabilities offered to you as a Shift4 merchant customer? Many of you are using TrueTokenization®, but haven’t yet implemented point-to-point encryption (P2PE), others have both of those technologies in place at their front desk, but have left their onsite restaurant out in the cold with no protection.

Which capabilities are available to you depend on which POS and/or PMS you are using and what the vendor included in their certification. If your POS/PMS vendor isn’t supporting the latest technologies, encourage them to start now. Completing a debit certification with Shift4 and adding support for our Universal Transaction Gateway® (UTG®) opens up our full suite of security technologies, and ensures you’ll be ready for U.S. EMV as soon as the processors give us a spec to certify to.

If you’re not sure which technologies are supported, or want to know what your options are for additional security, give us a call or drop us an email. As always, Shift4 Support is here for you 24/7/365 at [email protected] or 702.597.2480 (option 2).