Recent months have seen a major spate of cybercrime, with high-profile credit card data breaches at retailers like Target and Neiman Marcus, as well as many other incidents at smaller stores. The sudden wave of credit card data theft is prompting more scrutiny from the federal government and industry watchdogs, and software security experts have noted that many of the standards and technologies in place for protecting retailers are simply inadequate given the advanced nature of today's threats. With cybercrime on the rise, businesses may need more secure out-of-the-box tools for making sales and processing payments.
A recent Washington Post article highlighted the current high-threat environment, noting that nearly two dozen companies have experienced data breaches similar to the one at Target that compromised as many as 40 million customers' credit card information. While not all the retailers targeted have been publicized and the number of customers affected is still in question, the general upward trend of cybercrime is clear, and the FBI has warned retailers that many more will likely fall prey to hackers in the coming months. A recent Ponemon Institute study found that cybercrime cost U.S. companies an average of $11.5 million in 2012, a 26 percent increase from the year before.
"You're going to see more and more people trying this," Nicolas Christin, a security researcher at Carnegie Mellon University, told the Post. "If you just saw your neighbor win the lottery, even if you weren't interested in the lottery before, you may go out and buy a ticket."
The shortcomings of PCI
Currently, retailers look to protect themselves by meeting the Payment Card Industry Data Security Standard. But PCI compliance is tricky, and few companies meet all the requirements. According to a recent Verizon Enterprise Solutions report, just 11 percent of companies were fully up to industry standards. In North America, 56 percent met 80 percent of the requirements.
Part of the problem is that the list of PCI compliance requirements is long and often impractical to enforce, payment security expert Slava Gomzin wrote in a recent column for VentureBeat. He noted that the latest version of the standard includes 399 testing procedures, and he questioned how small retailers could possibly hope to meet all the requirements when even the largest companies with the best security resources are being breached. For instance, one of the requirements of PCI is that all employees be subject to an IT security policy – hardly something that a family restaurant or small business can be expected to ask of service staff. The more fundamental problem may be that current payment technology is not built for security.
"Our decades-old payment system was not designed with cybersecurity in mind," Christopher Soghoian, principal technologist at the American Civil Liberties Union, told the Washington Post. "Times have changed. Data breaches now occur on a weekly basis, the result of which is that consumers become victims of fraud and identity theft."
One of the topics that's gained the most traction in the wake of the Target breach is the adoption of chip-based EMV cards like the ones that are used in Europe and Canada. Advocates are pushing for implementation by as soon as October 2015, but skeptics say that even an implementation process that began now would take years, Gomzin noted. And regulators have been cautious about forcing requirements on the banking industry without proof that the chips will actually help, the Washington Post reported.
Building a better system
The more compelling approach for ensuring consumer protection might to build more secure POS systems, Gomzin suggested. One of the major shortcomings of PCI is that it only requires encryption for data at rest, allowing applications to process data in clear text in the RAM of POS terminals and opening the door for attacks like the memory parsing approach that hackers used in the Target breach and many other recent incidents. Similarly, data can be transmitted unencrypted. And payment applications are allowed to store binary and configuration files without protection, enabling tampering. More securely designed POS and payment processing software could eliminate these flaws and could also help strengthen security in a context where expertise is far from a given.
"Most people in the retail industry don't know much about information security, and they shouldn't have to, because security features should be provided by the payment system out of the box," Gomzin wrote.
Using tools like source code analysis, vendors can eliminate the software security gaps in POS tools and payment processing applications to provide exactly that. As cybercrime increases, businesses will increasingly be looking for secure solutions that can be implemented with minimal end user IT expertise. Developers would be wise to pay attention.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.