As the trend continues toward smart terminals with integrated software for payments and other services, criminals seem likely to step up efforts to get their hands on a new treasure chest of data at the point of sale.
Even though payments services have made unprecedented technical advances the past few years, criminals love security gaps that can arise with new technology, making it easier to enter networks that hold personal information and card credentials.
We live in an EMV environment, said Julie Conroy, research director and fraud expert with Boston-based Aite Group, referring to chip-based card transactions at terminals around the world, and a technology that will become more prevalent in the U.S. later this year.
As such, criminals will be looking to other data they can go after and monetize, and integrated POS represents the opportunity to find new data that might not be as protected as the payment card data, and that is a new risk we have to look out for. Unfortunately, in many cases, innovation often precedes security, Conroy said.
It means iISOs have to become well-versed on software integration at the POS as well as the security needed to keep that software safe.
Terminals are becoming places where merchants can add software for data analytics, loyalty and rewards, gift card acceptance, customer management tools and even accounting or payroll programs. On top of all of that, the integrated terminal generally is prepared to accept any type of emerging payments so as to move those transactions over the credit and debit rails.
Apple Pay serves as a case in point. At its core, Apples new mobile payment system simply represents a new way to move card transactions over the network rails through Near Field Communication at the terminal and smartphone. But merchants need terminals smart enough to accept those payments with proper coding and security protocols.
Understanding this latest trend, the Payment Card Industry Security Standards Council in mid-December issued guidance and recommendations on terminal software security, stressing safety in the development of software that would operate on a POS terminal.
All applications that store, process or transmit cardholder data are in scope for a merchants PCI data security assessment.
Requirements cover software code required to meet parameters defined in the councils point-of-interaction devices and PIN transactions guidance.
PCI also calls for awareness training that supports secure software development, as well as defining a security roadmap that outlines malware threats to assure the software addresses those concerns.
Device-level testing is imperative to understand how the application will work when used with hardware or other applications, the PCI Council said.
It is also important for an organization to stay aware of the latest threats and establish security procedures to thwart them.
Criminals are looking at every aspect of a payment transaction to find ways for data exfiltration, said Troy Leach, the councils chief technology officer.
Consumers and merchants alike benefit from additional features, but complexity and increasing dependency on third-party applications can create new opportunities for criminals to exploit, Leach said.
Due diligence is so vital in the development of software that terminals rely upon, Leach noted.
Understandably, U.S. merchants should be immersed this year in details for obtaining new terminals or undertaking upgrades to accept EMV chip-card payments. If they are not ready to accept EMV transactions by October 2015, they become liable for fraud at the POS.
But they cant assume EMV preparation keeps the POS secure from the increasing malware attacks, Aites Conroy said.
EMV does not stop capturing the data from the POS because it doesnt do anything to encrypt the data once it has passed through the terminal, Conroy said. EMV impedes the criminals ability to monetize the data from the POS, so it is very effective from a counterfeit fraud perspective.
The POS remains a target, shesaid. Most of the POS malware is looking for that track 1 or track 2 card data, at the points that it is unencrypted before sending to the acquirers and networks for processing, she said.
Track 1 and track 2 carry the cardholder account information needed to complete a transaction, with track 1 the only track capable of containing alphabetic text, meaning it carries the cardholders name.
Merchants are protected best by a three-legged stool that includes tokenization for data at rest, end-to-end encryption for data in flight, and EMV for data when it is between the consumer and terminal to prevent counterfeiting, Conroy said.
Merchants are becoming more aware of POS attacks, and more of them want the security that goes with such software integration advancements, said John Berkley, senior vice president of product at Mercury Payment Systems.
Security is absolutely what people expect from their acquiring partner, Berkley said. We would never say you can do payment processing with us, but you are on your own as far as keeping that data secure.
The new technology gives ISOs an opportunity to go in and sell something new and different, Berkley said, noting that we all know what happens when everyone is selling the same product.
The challenge for ISOs is to become more sophisticated and understand what their merchant clients should be doing with data analytics or loyalty programs, Berkley said.
You have to be an expert in data security, and you never had to worry about that for years, he maintained. We will see the same thing with smart terminals, because you cant take a terminal out of a briefcase and just simply put it in place anymore. You actually need to know a lot more.
Another factor fueling the advancement in software at payment terminals is an inevitable maxing out of the people who were introduced to the point of sale through their own personal electronic devices, said Joe Pergola, president of AccuPOS, a terminal software developer.
Small merchants who started accepting payments through mobile dongles attached to smartphones or iPads will see that technology get stretched over time and will seek terminals that can accomplish more tasks, Pergola said.