The Point of Sale Can Be a Chaotic Security Battleground

Merchants today face the daunting task of investing in several payment technology upgrades at once, and the confusion surrounding this process could bolster many pre-existing security vulnerabilities, argues point of sale security expert Chris Strand.

The irony is that many of these updates are being done in the name of security, including the migration to EMV-chip payment cards, changes to the Payment Card Industry data security standards and the retirement of Microsoft's Windows XP operating system, said Strand, who is an executive at Bit9 and Carbon Black, a Web security company. Windows XP is used in many point of sale systems.

"This will interfere with brick and mortar merchants in general and will affect their ability to set priorities in an already busy season," Strand said.

In the U.S., the EMV migration was given an Oct. 1 deadline, after which most non-compliant companies faced a shift in fraud liability (gas stations have an extra two years). However, as the deadline neared, many in the payments industry began to see it as more of a starting line than a finish line.

In addition, there are still many fundamental problems tied to the EMV migration, including a lack of awareness among consumers and merchants about how the technology works. And even though EMV cards don't add security for e-commerce, the changes still complicate acceptance for some digital merchants.

"This state of confusion is a distraction that is a common use case for people who are trying to commit an attack, kind of like a pickpocket," Strand said. "And right now, most of the migration is chip and signature, which is not even 'full blown' EMV [compared to chip and PIN]. This is a state of distraction that will draw attackers."

Strand calls EMV only the first part of a "trifecta" of changes that are causing problems for merchants that care about security.

The PCI council has updated its standards to accommodate mobile commerce payments and give merchants more power to use their own encryption systems. "This will be the first time that many merchants will be rounding out their audit systems with the new PCI standards," Strand said. "That will only add to the confusion."

Additionally, many point of sale terminals still use Microsoft's Windows XP, an older version of the Windows operating system that Microsoft no longer supports with regular security updates (though the software giant has selectively agreed to support some XP systems until as late as 2019).

"XP is still on a ton of point of sale systems," Strand said. "So right after the holiday-crazed period, merchants will have another adjustment to make that may be hard to figure out."

Given the drain on resources, many merchants will be forced to pick their battles, said Julie Conroy, a research director at Aite Group. "The situation will get worse before it gets better, but that's due to the fact that threat environment is escalating so rapidly," Conroy said.

For example, the ModPOS malware, which is more complex and harder to detect than previous point of sale malware strains, exemplifies this, Conroy said. Merchants are also already seeing escalating attacks on card not present payments as well, even though this shift was predicted to occur after EMV got a stronger foothold in the U.S. than it has today, she said.

"Because the criminals are moving so rapidly, merchants and banks alike need to address security on multiple concurrent fronts as well," Conroy said.