Card-Not-Present: Security Considerations for Point of Sale Businesses
As the retail world’s center of gravity shifts to the cloud, payment card fraud has followed suit. According to Verizon’s retail vulnerabilities study, attacks against e-commerce applications are by far the leading cause of retail data breaches. This trend mirrors similar outcomes in other industries, like food service. A complimentary Verizon study finds remote attacks against food service operators on the rise, as well.
In both industries, the swing to card-not-present (CNP) fraud has been sudden and swift. Verizon’s data shows an utter collapse in retail point-of-sale (POS) attacks as a share of total breaches in the past six years — from roughly 80% in 2014 to less than 10% in 2019. Web application attacks have filled the void, rising from less than 10% in 2014 to about 50% in 2019. In food service, point-of-sale attacks declined from a roughly 90% share to a sub-20% share.
Customers’ expectations haven’t kept up. According to a survey by Money Crashers, a personal finance publication, 52% of consumers aren’t concerned with the security of the payment apps they use every day. Just 30% have held off on downloading a payment app over security concerns.
Attackers Are Hitting Their Marks
Consumers’ cavalier attitudes persist despite persuasive evidence that hackers hungry for payment card information and sensitive personal data — names, addresses, ID numbers, security questions and answers — are getting better at hitting their marks. Since the beginning of 2018, remote attacks have affected a major U.S. department store chain, a popular fast-food operator, and a leading online-only clothing retailer.
And those are just the attacks that hit the news.
Why and how are attackers getting better at what they do? In many cases, it’s because victims unwittingly give them a hand. For example, Verizon’s retail vulnerabilities study found retailers patch only about half of the known vulnerabilities within a quarter of their discovery.
Put another way: Due to resource constraints, operational inertia, or plain old inattentiveness, retailers allow about half of the attack vectors they know about to languish for longer than three months.
How to Protect Yourself From Remote Cyberthreats
No security protocol is foolproof, but would-be victims can do better. Here’s how retailers and food service operators can protect themselves from card-not-present attacks and related data loss.
An SSL (Secure Sockets Layer) certificate provides a critical measure of additional security to public websites. SSL is often considered only in the context of functions that demand a high level of protection, such as checkout pages, where the need to protect payment data and sensitive customer information is obvious. Unfortunately, using SSL only where it seems warranted simply shifts hackers’ attention elsewhere to pages with easier-to-exploit vulnerabilities, which function as de facto backdoors for creative attackers.
2. Constantly Monitor for Signs of Deception
SSL might protect the web properties you control from direct compromise, but it can’t do anything about web properties you don’t control — even when those properties bear more than a passing resemblance to your own.
“Spoof” landing pages are increasingly popular (and, sadly, fruitful) with attackers seeking to collect payment card data and other personal information from unsuspecting buyers. These pages are designed to look like legitimate extensions of legitimate vendors’ web presence but instead point to the attackers’ domains. Creative attackers can operate these pages for days or weeks without being discovered by the vendor they’re imitating.
To fight back, purchase domain names similar to yours (as well as less-common extensions) and regularly search the web for your company name.
3. Collect The Right Information About Your Buyers
This includes but isn’t limited to the buyer’s IP address, name (and company name, if applicable), shipping and billing addresses, phone number, and email address. Use this information to check out suspicious activity, such as multiple orders to different shipping addresses using the same billing address.
Also consider additional identity-confirmation measures, such as requiring a signature at delivery or confirming the order by phone, which often isn’t possible for international fraudsters using fake U.S. phone numbers.
4. Apply Software and Firmware Updates as Soon as They Become Available
Any unpatched piece of software or firmware represents a potential threat. Accordingly, make it a policy — and a priority — to apply updates and patches as soon as they become available. This includes not just the operating system and browser updates you’re likely to undertake as a matter of course but often-overlooked updates such as those for routers and printers.
Final Thoughts
Card-not-present fraud is on the rise in the retail and food service sectors. Unfortunately, nothing we’ve seen in the recent past suggests this state of affairs will change anytime soon. Retailers and food service operators — and other vendors vulnerable to CNP fraud — must take proactive measures to protect their payment systems from compromise.
We’ve identified four strategies that virtually every customer-facing business can take in the near term to reduce the risk of CNP fraud. It’s time to contemplate implementing these strategies. The buying public demands nothing less.