You have no doubt heard about Target stores holiday cyber breach hitting 40 million payment cards. This was the second-largest breach reported by a U.S. retailer and in terms of speed–just 19 days from the day before Thanksgiving to last Sunday–it was unprecedented. Mark Bower, VP product management at Voltage Security comments on this major story, still unfolding:
Unfortunately this massive breach is a reflection of the times we live in. The size, scale and coordination required for this attack illustrates the lengths that attackers will go to steal valuable credit and debit information including card track data and CVV codes – the ultimate prize. Typically there are two points in the retail chain where attacks typically take place – the POS or the payment switching back end. POS systems are often the weak link in the chain and vulnerable. They often run a standard OS and are thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider. In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable to malware compromise impacting massive amounts of cardholder data, as we see today with Target. If this breach was further up the chain, perhaps in the authorization and settlement switching systems in the retail back end, then the track data and CVV codes should never have been stored – even if encrypted. There’s no need, and It’s forbidden under PCI DSS, yet sadly still happens.
The good news is that there is a way to prevent this very efficiently. Savvy retailers are already tackling this risk and fighting back by giving the malware nothing to steal. Point-to-point encryption (P2PE) from the instant the card data is read, also called end-to-end encryption, addresses this risk by encrypting all the payment card data before it even gets to the POS. If the POS is breached, the data will be useless to the attacker. Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don’t like stealing straw. We’ve helped thousands and thousands of merchants along with their payment gateways and acquirers to embrace this approach using new powerful techniques with no impact on the retail process, yet practically eliminating the possibility of an attack like that Target is dealing with today. And with EMV on the horizon to make it much harder to counterfeit physical cards from stolen data, and with P2PE and Tokenization to protect the card data in the retail flow, merchants can turn the tables on data breaches in a major way. With the significant reduction in the cost of PCI compliance, there’s also an ROI to justify it in addition to avoiding the cost and complications of remediating 40 million breached cards as in this case.
The Voltage SecureData Payments solution enables full end to end protection of cardholder data including Track2 , CVV, PAN and other data from the moment the data is read inside card reading device’s secure and tamper resistant ecosystem – for example, Ingenico or Equinox payment card readers and PIN entry devices. Using Voltage’s Format-Preserving Encryption, standardized as NIST 800-38G, the data is encrypted at the point of capture such that systems receiving it, such as a Point of Sale System still see data in the format of Track 2, and so on but the data is in fact encrypted – the Track format is preserved to the extent that the payment can still flow unimpeded. Thus the encrypted payment data can be used and pass through the POS checkout, through the merchant IT systems to the switch or host systems end to end. If the data is intercepted, it cannot be decrypted as it is rendered unreadable to the attacker – it is effectively random data to them. Only the trusted receiving host system can decrypt the data for Authorization, Settlement. Key management is dramatically simplified using Stateless Key Management, removing the pain and headache of traditional approaches by eliminating key injection and management in the device. This unique advantage reduces cost of operation and complexity for retail store operations while providing maximum security.
Host systems supported include HP Nonstop, IBM z/OS platforms and other typical open systems transactions processing systems and Thales HSMs. After decryption at the host, Voltage’s Secure Stateless Tokenization, also supported on HP Nonstop, IBM z/OS and open systems, can provide a token to replace the PAN value for either merchants or internal processes at the host acquirer to remove cardholder data from business processes for charge-backs, warranty claims and so on. This solution is used at 6 of the 8 top payment processors in the US, 3 of 5 the largest retailers in the US, top Airlines and global credit card brands. The benefits are dramatic reduction in risk of data breaches by removing live data from systems without disruption to IT or business processes, and reducing the cost of PCI DSS compliance – in some cases by as much as 95%.
Voltage Solutions can solve these challenges for:
· Card Present – Store to Host
· Back office Card Processes – for PCI Data protection, scope reduction, and for PII (personal data) – post authorization and settlement
After their similar large scale breach, Heartland Payment Systems looked to Voltage to solve their breach remediation challenge and move to a full end to end encryption strategy for their payments flow for their merchants. As Bob Carr, CEO of Heartland Payment Systems notes “Every single breach I know of wouldn’t have happened if our end-to-end encryption solution had been there.”
See how Data is the New Perimeter.