Losing Faith with Retail POS?

Posted on by Christopher Burgess

The technology section of every newspaper, magazine or online entity lately is describing how point of sale (POS), and the use of your credit cards is a bit like playing Russian roulette with the retail POS terminals — are they or are they not compromised? The recent batch of retail breaches of payment card industry (PCI) data began with Target, then Neiman Marcus, Michaels, and a bevy of yet-to-be-identified entities and is feeding the fear that the retail ecosystem is in danger. The consumer is asking the industry, "Why can't you keep my consumer data secure? If you are compliant, why aren't you secure?"

This sense of frustration is further exacerbated by the consumers, as they watch their precious man-hours being sucked out of the day when their bank presents them with their new credit card. It is their hours that are expended as they clean up after the retailer's error. The consumer's merchants are also thanking the bank for the opportunity to expend their operating expense (OPEX) in changing the account data of their customers. The banks are replacing approximately 100,000,000 credit cards following these breaches — a staggering number indeed; and the cost of the replacement will be equally staggering.

EMV the Future?

Is the Europay-MasterCard-Visa (EMV) system (chip and PIN) in our future? EMV cards are currently in use in Canada and Europe. Their banks are no doubt smiling and commenting on how the United States may be about to get on the boat of secure retail POS. The PCI Security Standards Council has not made it mandatory nor has industry pushed to move to a more secure retail POS as a requirement of PCI certification. But odd as it may appear, perhaps there will be a groundswell from retail merchants, demanding their exposure be reduced. Could it be that the actuary analysis continues to resolve these breaches and attendant costs to the banking industry are acceptable? Could the funds not covered by breach insurance be woven into the annual fees for card holders? Will it take consumers moving away from the convenience of cards, or at least insecure cards, to make the banks take notice? How many hacks must occur?

Stand Up and Be Counted

Enter the security consultants, vendors, and forensic investigators, some of whom are chomping at the bit to get inside and see how the compromise occurred, learn from it and work to ensure it doesn't happen again, while others are simply mercenary. Though we should not advocate for the removal of the competitive nature of the industry participants, it requires not even a modicum of intellect to understand that the current state of affairs at the US retail POS is unsatisfactory. The situation is not anywhere near where it could be — there is, as evidenced by the multiple breaches, plenty of room for improvement.

Perhaps this is the time when the security industry, as a whole, steps up the cooperation and collaboration to align and solve problems. Making it easy for merchants to implement retail POS solutions which are both secure and easily verified would be a good start. Coupling this with mandatory security awareness by those banks supporting the retail merchant, will go a long way toward illustrating that security is everyone's responsibility. And when security is everyone's responsibility, there will be a reduced occurrence of willful ignorance, and a genuine desire to help and assist one and other, regardless of where one is within the ecosystem, to maintain a secure system. If this does not occur, it should be assumed that the criminal elements will sniff out and exploit the weakest link.

Christopher Burgess

, Prevendra Inc.

Business Perspectives


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community