Security Beyond EMV
By Brandon Gruttadauria – Field Technical Consultant – Ingram Micro
EMV is bringing security to the forefront of merchant’s minds. But what types of security solutions do retailers need beyond EMV?
The EMV liability shift will soon be here, but while EMV will help reduce card-present fraud, adopting EMV solutions will do nothing to prevent the threat of data breaches of customer information. Breaches will continue to happen – it’s a lucrative business – and what’s most concerning is not always the size of the breach but how easily most could have been prevented. Most thefts can be attributed to people, processes or technologies – elements of a business completely under leadership’s control.
People. Phishing scams are heavily used strategies to acquire login names and passwords. Person-to-person phishing relies on psychological tricks where the hacker pretends to be someone he or she is not. Often fraudsters instill a sense of trust or fear in their victims, and then do their best to exploit employees to obtain login or specific datacenter system information.
Email phishing is also effective; a process where hackers replicate emails to make them appear to be from a “trusted” website. Once the tricked user enters the needed secure information, the hacker gains access.
How to mitigate this risk? Many security firms have found that single training sessions can be highly ineffective. While some users pay full attention, others tune out the message, or simply click through online training without learning anything. A better method is a multi-step staged approach:
- Gain support from the executive leadership to provide continuous training method for employees
- Conduct a “safe” phishing attempt to determine how many employees were baited and to establish a vulnerability baseline
- Host in-person trainings for staff based on the results of the “safe” phishing attempt
- Conduct additional staged phishing attempts on a periodic but unexpected basis
- Continuously track and report progress to the executive team
Processes. The saying goes “if you can’t measure it, you can’t manage it,” and that remains true when creating processes for handling data. Retailers capture, transmit and store an incredible amount of highly valuable data, including a simple transaction log that is sent every night at close of business, customer information tied to loyalty cards, and reams of marketing data that help to predict customers’ purchasing patterns. This data is highly valuable, and understanding how the retail handles this data can uncover security risks.
One area of opportunity is to ensure all retailer customers are in full PCI compliance. Verizon’s 2015 Compliance Report only places retailers at 20% of full compliance in 2014(1). Being fully PCI compliant demands a world of process change that also typically provides a revenue drag of technology purchases. It’s worth it to remember that even though a retailer may be PCI compliant today, tomorrow they may not. A simple change, perhaps a website update that wasn’t properly tested, could lead to an exploit and breach of data. Conducting and capturing those test results and maintaining the proper documentation is paramount at all levels of the PCI scope and should be built into any process that touches technology in the retail environment
How to mitigate this risk? When we can fully understand a retailer’s business processes and standard operating procedures, we can advise on the proper methodologies to apply a technology solution. Without these processes in place, increased risk can occur for an information security breach.
Technology. When we’ve properly uncovered the process of a retailer’s data or helped them achieve PCI compliance, we can then address the client’s technology needs. This approach is multifaceted; a solution provider will need to be familiar with a variety of solutions involving networking, IP surveillance, storage and server infrastructure, and software—just to name a few. Having expertise in all those areas can be challenging; many of our retail-specific solution providers leverage vendors, distribution partners or even peers to help fully deliver on an end-to-end retail PCI solution.
How to mitigate this risk?
For those looking to get into this space, consider your technicians’ expertise and map them to adjacent PCI opportunities.
|Tech Skills||Recommended Solutions|
|Networking experience||Tap into a network security solution leveraging next generation firewalls or network access control|
|General data center experience||Autonomous patch management, encryption, or data loss prevention solutions|
|Mobility experience||Mobile Device Management (MDM) to prevent data leakage|
Understanding security risks and offering trusted solutions can help you differentiate your business from the competition. Need help? Solution providers can seek assistance from their channel distributor to tap into vendors, professional services and partnerships that can help grow your business. Specific to retail, professional services can supplement your solutions offerings with PCI compliance with penetration testing, website vulnerability assessments, EMV key injection services, and training.
- Verizon 2015 PCI COMPLIANCE REPORT – http://www.verizonenterprise.com/pcireport/2015/
About the Author
Brandon Gruttadauria is a Field Technical Consultant at Ingram Micro. As such, he has extensive experience with emerging technologies, both in designing and securing data center and vertical market specific solutions, including traditional data center infrastructure, and software defined and virtualization solutions, cloud and on premise hosted enterprise management solutions, and endpoint management solutions. Brandon has more than nine years of experience consulting with channel partners and their end users on how to secure their data and intellectual capital, and holds dozens of industry certifications. Information on Ingram Micro’s Retail Advantage can be found at us-new.ingrammicro.com/retailadvantage
Ingram Micro helps businesses Realize the Promise of Technology™. It delivers a full spectrum of global technology and supply chain services to businesses around the world. Deep expertise in technology solutions, mobility, cloud, and supply chain solutions enables its business partners to operate efficiently and successfully in the markets they serve. Unrivaled agility, deep market insights and the trust and dependability that come from decades of proven relationships, set Ingram Micro apart and ahead. More at www.ingrammicro.com
Recent articles on EMV, security, and credit card issues: