Protecting the point of sale means improved third party vetting
GameStop. Wendy’s. Verifone. Chipotle. With retail breaches now gracing headlines on what feels like a weekly basis, it’s now well established that the retail sector represents a growing target for cybercriminals.
Attackers are increasingly eyeing industry networks as a wealth of personal customer information and credit/debit card and financial data.
While reasons for this uptick vary, it’s clear attackers have taken advantage of retail organizations with unknown or unaddressed security gaps, including hidden vulnerabilities in the network, exposed or unencrypted customer data on back-end or third-party databases, and lack of comprehensive security defenses. Combined with a dearth of sensitive credit card and customer data at their fingertips, these vulnerabilities have created a perfect storm for attack, and, as a result, perpetrators are attacking these targets with reinvigorated aggression.
As a major threat vector and often the main point of entry for attack, vulnerable third-party point of sale (POS) systems present one of the most significant risks for retail organizations. For one, POS systems represent attractive targets to attackers because they store millions of credit and debit card numbers, as well as customer account and personal information. That data can not only be accessed by the retailer, but by the third-party POS vendor and all other entities with access to the vendor’s systems.
What’s more, POS systems often contain numerous unknown and hidden vulnerabilities, attributed in part to disparate or inadequate security standards of the authorizing third-party payments system vendors. If critical, any number of those vulnerabilities enable easy access into the network, representing “low hanging fruit” for cyber criminals’ intent on infiltrating a network, with few barriers to entry. Attackers can then execute malware on POS systems designed to skim data off swiped cards, achieve a quick return with ransomware, or on a larger scale, leverage these systems to deploy sophisticated application-level attacks. And that’s just the tip of the arrow.
One of the biggest reasons these POS systems are particularly susceptible to attack is that they are often implemented and managed by third party vendors, as opposed to the retailer, who is not beholden to the same enforceable security and compliance standards as the retailer. Consequently, POS systems often lack adequate security defenses and data protection technologies that would otherwise detect malware and cyber intruders. And while the third party POS system govern financial transactions, the resulting fallout from a breach will inevitably be on the retailer, who will pay for it with financial losses, customer attrition and damage to brand and reputation.
But security is only as good as that of your weakest partner, and taking the time to thoroughly perform proper due diligence and screening, while ensuring that the security measures of third parties are up to par goes a long way to mitigate risk down the road. As retailers continue to be attacked, it will be absolutely mandatory that they assess and fully understand their risk environment, including security holes and vulnerabilities created by third parties. This also includes understanding third party compliance requirements, studying previous audits and assessing their security infrastructure, as well as knowing where their most critical data resides that could leave them susceptible to an attack.
What’s more, retailers need to consider the level of third-party access to their network or critical data when evaluating their risk environment. This holds especially true for partners, such as third party POS vendors, that are not beholden to the same standards yet are responsible for the business’ most sensitive data.
Gaining a comprehensive understanding of their risk environment will then give retailers the ability to prioritize their most critical data, credit card numbers and customer account information, to be properly secured. Only when retailers are armed with this knowledge can they create an effective strategy that will enable them to combat these threats and mitigate attacks. Failing to do so will all but ensure your business ends up the next breach headline.