Many bricks and mortar retailers recently reopened following a three-month hiatus due to the Covid-19 lockdown. Being able to visit their favorite outlets for the first time since March, and the prospect of bargain sales meant that many stores had a surge in shoppers. However, reduced budgets and a short notice period for reopening has meant that many retailers could struggle to update the security on their card systems and comply with industry standards.
Likewise, online merchants have seen unprecedented demand during lockdown, nearly doubling their share of the retail market in May. This sudden increase in business has left many internet retailers unable to find a period of downtime to update their payment software.
In this Q and A, Chris Strand, Chief Compliance Officer at IntSights, explores the predicament retailers are currently finding themselves in and looks at what they can do to ensure both security and compliance.
What is the current situation regarding card usage?
Contactless and cards are now used in more than half of all UK payments. Their use is likely to accelerate as both retailers and consumers look to avoid handling cash that could potentially harbor disease, meaning that the security of card payment services is more important than ever.
What are the post-lockdown security concerns?
Physical retail systems such as point of sale (POS) and point of interaction (POI), have been under-utilized or even sitting dormant for at least three months. In the effort to cut costs and stretch resources, it’s possible that retailers may have missed critical security patches and proper maintenance to these systems to ensure they remain secure and compliant. A similar issue happens every year during the Christmas rush when backup resources (hardware and software) are taken out of reserve to accommodate the surge in demand for payment processing. These systems often include components that are outside of the regular security maintenance plan and are placed into the “retail freeze” production environment where updates are not permitted without great disruption. What’s more, bricks and mortar retailers were only given a week’s notice that they were able to re-open, giving them very little time to prepare.
While we don’t yet have significant data, the post-lockdown opening phase looks like retailers could be experiencing a pre-Christmas style surge in demand as consumers flock to retailers that have been restricted to ecommerce only orders for the past three months.
Ok, so retailers need to install the latest patches and updates?
Unfortunately, it’s not as simple as that. As of January, three heavily utilized POS and payment-related systems, Windows 7, Windows 2008 Server and Windows Embedded POSReady 2009 reached end of life. This means that Microsoft is no longer releasing viable security patches to help protect system vulnerabilities from a variety of external targeted attacks. Support for a small portion of the critical patches is offered if the retailer buys premium extended support from Microsoft, but that’s a big expense and for many, not an affordable option. We know that in the current environment, retailers have little spare budget at present other than to maintain and open their stores.
End of life doesn’t just apply to operating systems, but also to applications used within retail, which is of a particular concern to online retailers. For instance, Magento 1, a popular payment app used on many websites, went end of life in June.
These end of life events play havoc with systems at all points of the year, but even more so now. Many retail technology migration plans and strategies were most likely affected, and it’s almost a guarantee that many retailers have not had adequate time or resources to develop and implement compensating security controls to protect any of the vulnerable systems they now have throughout their estate.
Sounds like the perfect storm, will threat actors take advantage?
Most definitely. At IntSights, we have already seen an increase in card skimming tactics that have been targeting ATMs and fuel stations in tandem with their increased focus on ecommerce, which is significant because it indicates that threat actors are taking advantage of the perceived security gap in all these systems.
Any vulnerability will enable threat actors to carry out a range of attacks. For instance, if retailers do not use end-to-end encryption on their POS systems, criminals can inject a memory-scraper trojan that will scan for and steal card data.
How are card transactions usually kept safe?
To ensure businesses process card payments securely, they are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This comprises 12-high level requirements covering the storage, transmission and processing of cardholder data. Key points include building and maintaining a secure network that is monitored and tested regularly, protecting data, implementing strong access controls and maintaining an information security policy.
Quarterly audits for PCI and other common retail intensive compliance assessments often cycle in the autumn due to many factors associated with the rollout of requirements and how the standard was developed. This presents an additional burden on retailers to ensure that they are compliant at a time when they are forced to invest on additional strategies in order to do business, because if they are found to not be PCI compliant, the retailer could end up facing fines and penalties. Also, audits may be more cumbersome to complete now that they have to review a backlog of security information on these systems. If these systems have been offline it may be even more complicated to run a collection of compliance metrics that will present enough data to prove control efficacy.
What happens in the event of non-compliance with the PCI-DSS?
There are over two hundred PCI sub requirements that systems needed to be tested against. Failing to meet a requirement would result in retailers having to demonstrate they have implemented compensating controls to prove that they can protect credit card data.
If a retailer can’t patch its systems, it can’t pass the audit. If it can’t pass the audit the retailer will have to pay fines to continue to use cards. This is death by a thousand cuts. The card brands and banks, such as Mastercard or Visa, will stipulate how much retailers need to pay (often a monthly penalty) associated with their PCI DSS tier classification which is based on the number of card transactions they carry out. For a large chain this could result in payments that have a significant impact to the business bottom line. There will also need to be a mitigation plan in place, which will take up more resources and require more checks to prove the retailer can get to a secure position to finally pass the audit.
What can retailers do to protect themselves?
Retailers are in a tight spot, but ultimately, they will have to bite the bullet and upgrade their systems. This is the only way to avoid potential fines and penalties, while at the same time protecting customer data. Let’s not forget that if payment data is stolen due to inadequate security, retailers could be landed with further fines from either failed PCI compliance or their local data protection regulators and forced to implement changes anyway or shut up shop.
The PCI Security Standards Council does offer help in this situation and is offering extensions on reassessments for point to point encryption (P2PE) solutions components and applications due to the Covid-19 crisis.
Once they have migrated to a secure infrastructure, retailers should also consider adding external threat intelligence to their security strategy. This will help them run a sanity check on their exiting security plans and identify those techniques, tactics and procedures that cybercriminals might use in an attack, enabling the retailer to focus its security efforts accordingly and quickly prioritize threat remediation.
Covid-19 has had a seismic impact on the retail industry for both online, and bricks and mortar concerns. Opportunistic cybercriminals will know this and will want to take advantage while it’s down. Not investing in cybersecurity to save money in the short term is a significant false economy. Inadequate security measures could see huge losses either through cybercriminal theft or punitive PCI compliance fines from the card brands and banks. Now is the time to regroup and rebuild to ensure security and, ultimately profits, are better than before.
Christopher Strand, Chief Compliance Officer, IntSights