The advance of smart cards, mobile and cloud-based payments all promise one thing: better security. But in many cases, they rely on the same vulnerable hardware at the point of sale.
"Fraudsters continue many of their same methods, but malware specifically designed for payment terminals is on the rise," says Simon Gamble, Mako Networks' San Francisco-based president of North America.
Mako, which is headquartered in Auckland, New Zealand, has operated in the U.S. for more than a year, providing end-to-end Payment Card Industry data security standards compliance services for cloud-based networks.
Fraudsters are remotely entering a payment terminal to steal data and send it elsewhere, Gamble says. The merchant may feel the data is moving properly to the payment processor and on to the bank, because the system operation won't look any different. The first time a merchant may find out he has a problem is when the card networks call to say it appears a lot of current fraud is coming from the merchant's location, Gamble says.
"And that's when the forensics team comes out and the merchant discovers he is not PCI compliant in a lot of areas," he says.
The security of payment terminals is such a problem that forensics teams will often find two or three pieces of malware in a merchant system, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"These merchants are surfing the Web on the same computer they are using as a payment terminal, and that's when many of these malware attacks can occur," Conroy adds.
Malware attacks are a major issue for smaller merchants, says Bernie Pasierb, analyst and fraud expert for New York- and London-based Auriemma Consulting Group.
"In many cases, it's a matter of getting back to the basics and changing passwords and doing the proper housekeeping stuff on the system," Pasierb says.
Changing payment network technology "doesn't change the [fraud] ballgame" in terms of keeping a network secure, Pasierb adds.
Gamble couldn't agree more.
Areas of a network that could represent a potential problem continue to grow as payment technology advances, Gamble says. "PCI specifications are ever-changing and you have to keep them up-to-date."
Many merchants believe their system is PCI compliant, but only specific parts of the system may be in compliance, Gamble says.
With advancements in cloud-based networks, mobile card-readers, phones and other wireless devices as terminals, a merchant must be certain that all of the software, hardware and communications between the cloud and hardware are compliant, Gamble says.
The migration to the EMV chip-card standard in the U.S. does not absolve merchants of the need to stay in compliance with PCI rules, says Susan Matt, CEO of ThoughtKey Inc., an Atlanta-based PCI consulting firm.
"EMV changes the landscape of PCI as to where the potential data breach points are, but it is still a matter of securely moving data, no matter who is handling it," Matt says.
EMV will nevertheless provide a security boost, Matt says.
As voice and payments networks merge for convenience and speed, many security holes could develop, Gamble says.
"You used to pick up a phone and your voice was on a telephone network," he adds. "Now you can use a Google voice number on an Internet protocol phone."
Similarly, payment data used to go over phone modems, but now it's on shared networks and IP networks, he says.
Mako works with partners Phoenix Managed Networks and Ateria Solutions in Dallas, Texas to teach customers and potential customers about security, Gamble says.
"Clients see computers and payment terminals and they think they are the same thing," Gamble says.