The past 12 months have been quite traumatic for some big name US retailers. Starting with Target and including household brand names like Home Depot and Goodwill, POS systems have been hit left right and centre, exposing hundreds of millions of cardholder details. As we come up to the busy Christmas shopping period, what lessons can CIOs in the UK learn from all this, and could there be trouble in store for 2015?
It's pretty obvious the US is the Wild West when it comes to POS breaches. But this is largely because the country – the largest single user of payment cards – is still dominated by magstripe technology as an authentication method. The UK got Chip and PIN over six years ago and Europe soon after, while today over 80 countries including most in Asia are implementing it. In these regions, this roll-out has largely made POS attacks a poor option for data thieves, so they've moved online and into the MOTO channel, which together comprise the majority of card-not-present fraud in the UK.
Closing down CNP fraud
Although the UK is a relatively safe place to do business, card-not-present fraud rose 23% year-on-year from £142m to £174.5m in the first half of 2014, according to Financial Fraud Action UK. The MOTO channel in particular is ripe for the fraudsters to exploit as there is no current industry response to close it down. It might be useful for more banks to offer users the option to switch on email notifications whenever there is a transaction involving their cards. This would at least help alert customers if a card has been copied and used fraudulently.
However, it is e-commerce where the majority of CIOs should concentrate fraud prevention efforts. Industry standard PCI DSS should still be the starting point for best practice on how to keep cardholder data stored and managed safely. It recommends things like strong encryption and data loss prevention that should be on the table for any CIO at a large customer-facing business.
I'd also argue that it's important to keep customer data in separate databases and link them with an index pointer. This means that if there was a breach it would force the intruder to hop from one database to the other and then figure out the algorithm tying them together. Even if it's not card data that's stolen, a customer database breach could still create seriously bad publicity affecting the share price, customer loyalty and brand value.
To fortify systems, remember to keep all servers patched and up-to-date and find ways of shielding systems even if a patch is not available, for example in the case of particularly serious flaws like Heartbleed and Shellshock. The most important advice I can give CIOs, however, is to perform periodic data breach fire drills. Imagine you were breached. Is the marketing department ready? Is IT set up to work with the authorities? Is the board comfortable with going in front of the press? What about legal and PR? In response to major industry breaches, many companies ignore this kind of drill and instead simply jack up their security budgets. But as we know, security is never 100% and the attackers are well drilled, so it's important to be prepared.
A storm coming?
As if that wasn't enough impetus to get your e-commerce security in order, it is more than likely that once the US finally does adopt Chip and PIN, late next year, more fraud will shift online. Yes, it'll take a while before POS systems are updated and customer behaviour changes across the Atlantic. But once that "easy prey" becomes less exposed, you can be sure the cybercriminals will move on to the next easiest – MOTO and e-commerce – and the focus could move back to Europe.
It's worth remembering also that the European General Data Protection Regulation is coming, and will surely introduce mandatory breach notification laws when it's finally approved. Even more reason to get your fraud prevention and data security strategy in order. Don't wait for this before you make a start, however. What usually happens in the US is that the banks or law enforcement notice spikes in fraud on certain cards and inform the breached firm in question, often before the CIO has even an inkling. There's nothing stopping that happening here.
Big name UK data breaches have been a fairly rare occurrence over the past year, so the next firm to falter will be given a pretty rough time of it in the headlines. Make sure it isn't you.
Raimund Genes is CTO of Trend Micro