A common thread unites smart cards, mobile payments and cloud-based computing: all promise better security. But those gains are ofren negated by aging, vulnerable hardware at the point of sale.
"Fraudsters continue many of their same methods, but malware specifically designed for payment terminals is on the rise," says Simon Gamble, Mako Networks San Francisco-based president of North America.
Mako, which has headquarters in Auckland, New Zealand, has operated in the U.S. for more than a year, providing Payment Card Industry data security standards compliance services for cloud-based networks.
Criminals are entering payment terminal remotely to steal data and send it elsewhere, Gamble says. Merchant may feel the data is moving properly to the payment processor and on to the bank because the system operation wont look different.
A merchant may not find out theres a problem until the card networks call to say a lot of current fraud is coming from the merchants location, Gamble says.
"And thats when the forensics team comes out and the merchant discovers he is not PCI-compliant in a lot of areas," he says.
The security of payment terminals is such a problem that forensics teams will often find two or three pieces of malware in a merchant system, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"These merchants are surfing the Web on the same computer they are using as a payment terminal, and thats when many of these malware attacks can occur," Conroy says.
Malware attacks are a major issue for smaller merchants, says Bernie Pasierb, analyst and fraud expert for New York- and London-based Auriemma Consulting Group.
"In many cases, its a matter of getting back to the basics and changing passwords and doing the proper housekeeping stuff on the system," Pasierb says.
Changing payment network technology "doesnt change the [fraud] ballgame" in terms of keeping a network secure, Pasierb maintains.
Gamble couldnt agree more.
Areas of a network that could represent a potential problem continue to grow as payment technology advances, Gamble says. "PCI specifications are ever-changing and you have to keep them up-to-date."
Many merchants believe their systems comply with PCI, but only some parts of the system may be in accord with standards, Gamble says.
With advancements in cloud-based networks, mobile card-readers, phones and other wireless devices as terminals, a merchant must be certain that all of the software, hardware and communications between the cloud and hardware are compliant, Gamble says.
The migration to the EMV chip-card standard in the U.S. does not absolve merchants of the need to stay in compliance with PCI rules, says Susan Matt, CEO of ThoughtKey Inc., an Atlanta-based PCI consulting firm.
"EMV changes the landscape of PCI as to where the potential data breach points are, but it is still a matter of securely moving data, no matter who is handling it," she says.
EMV will nevertheless improve security, Matt says.
As voice and payments networks merge for convenience and speed, many security holes could develop, Gamble says.
"You used to pick up a phone and your voice was on a telephone network," he says. "Now you can use a Google voice number on an Internet protocol phone."
Similarly, payment data used to go over phone modems, but now its on shared networks and IP networks, he says.
Mako works with partners Phoenix Managed Networks and Ateria Solutions in Dallas, Texas to teach customers and potential customers about security, Gamble says.
"Clients see computers and payment terminals and they think they are the same thing," Gamble says.