Payments security experts are warning of the risks to some merchants with payment systems that transmit cardholder data from the processor back to the point of sale from the Spectre and Meltdown computer chip flaws.
The vulnerabilities, widely reported this month, could affect most of the world’s computers and many smartphones. Although work began on fixes and patches immediately after the chip problem was revealed, payments is one of the industry sectors that could be in harm's way, experts say.
No one is entirely sure how many attack vectors there are from the Spectre and Meltdown vulnerabilities, or how exploitable they are, but the biggest worry is the logistical challenges of getting all users to update nearly all their devices and workstations when reliable patches become available soon.
Specifically, the Spectre and Meltdown hardware flaws could enable attackers to trick affected computer chips into exposing data including passwords and encryption keys, which could lead to exposure of cardholder payments data, according to Dominic Lachowicz, senior vice president of engineering at payments processor Cayan, which TSYS recently acquired.
An attacker could use malware to exploit the vulnerabilities at stores using solutions that pass cardholder data back to the point of sale, Lachowicz said.
“With Spectre and Meltdown, there’s a certain amount of risk that we could see cardholder data exfiltrated, similarly to what we saw in years past with attacks at Target and Home Depot, where merchants retained a cached database of cardholder data,” he said.
Merchants with semi-integrated solutions that don’t store data have greater protection from these chip flaws, but merchants’ systems vary widely, he noted.
Payments security expert Julie Conroy, research director at Aite Group, rated the merchant risks associated with Spectre and Meltdown as medium-level, noting that anyone with a computer could possibly be exposed to attacks when they happen, and merchants are no exception.
“The good news is that security researchers discovered the problem first, so we really haven’t seen any attacks in the wild yet,” Conroy said.
But it’s too soon to rule out risks.
“Cybercriminals read the news too, so you can bet they already have attacks underway that exploit these flaws,” Conroy said, noting that merchants would be a prime target for crooks because it’s notoriously difficult to get the majority of merchants to implement required upgrades and patches.
“I’m sure we’ll see some midsize merchants—think grocery stores—who lose their data as a result of this vulnerability,” Conroy said.
The threat reinforces the lesson that the only way for merchants to thoroughly protect themselves against breaches is to devalue the data through tokenization, or remove it from their environment entirely, she said. It also highlights the need for modern technology at the point of sale.