Preventative Measures - Broadening Security for Payment Devices
By Scott Henry
he threat from software viruses is no longer confined to the PC market. A general misperception is that Windows-based PCs are the only target of malicious programs. Windows-based systems are the main target today because they represent the largest number of potential victims. However, as the world becomes increasingly connected through the Internet, the threat is quickly spreading to other devices.
Criminal intent is not limited by platform boundaries; signs of what to expect in the future have surfaced in the embedded device markets. Not so long ago, many believed that mobile phones were not at risk because no predominant operating system exists for those systems equivalent to Windows on PCs.
Yet now malicious programmers are actively targeting mobile phones and PDAs. According to "The Times of London," in the first half of 2005 more than 50 viruses targeted at mobile phones were detected.
Risks to POS Systems
We've all seen widely publicized compromises in other links of the payment processing chain, so it's logical to conclude that it is only a matter of time before POS systems fall under assault.
As POS devices become more complex and PC-like, they provide great enhancements such as Internet-protocol (IP) connectivity and multiapplication capability.
These technology advancements and improvements might provide criminals with points of opportunity if manufacturers, developers and processors do not preemptively and properly address them. The fact that no viruses directly targeting standalone POS systems have been detected yet should not deter companies from taking steps to prepare for the inevitable. It's simply good business sense.
The potential business liabilities resulting from incursions pose serious risks for all companies involved in the processing of card information. Beyond the financial impact of a widespread attack lies the equally damaging negative perception of the brand image in the public eye.
Some companies might think that they can avoid the threat by simply not using Internet-connected devices. That is certainly an option, but it comes at a tremendous cost. Many opportunities, including benefiting from faster payment processing and cost savings from eliminating telephone lines, can be lost.
There's inevitability to Internet adoption. In 2004, according to recent data from the Federal Communications Commission, high-speed Internet connections serving residential, small business, larger business, and other subscribers increased by 34%, to 37.9 million lines.
Those who have adopted Internet-connected payment solutions wonder how they ever got by without them. The short-term benefits are substantial, and the long-term benefits are incalculable.
Those who don't adopt faster Internet-connected solutions risk losing customers to competitors that are able to move shoppers through their lines more quickly. Think of gas stations today. How many don't offer pay-at-the-pump options?
Securing the POS
Anti-virus protection services on POS solutions will go a long way in eliminating any fears merchants might have about owning an IP-based terminal. Reluctant merchants will now feel confident in purchasing these products. This equates to more terminal and software sales for ISOs/merchant level salespeople.
Others might think they don't need to implement security measures until an actual exploitation occurs. But they should take appropriate precautions. The expense caused by lost productivity and damage repair of a brand image will be much, much greater than the short-term savings.
Once a consumer loses trust in a merchant, it may take years for the merchant to recover, if ever. Who wants to be the first company to suffer such an assault and land on the front pages of "The Wall Street Journal" and "The New York Times" as a result?
Without a doubt, credit card information is becoming one of the prime targets of criminals who use rogue programs to capture consumer account information.
In June 2005, MasterCard International announced that the security of as many as 40 million cardholder accounts, including those of Visa, American Express Co. and Discover Financial Services, had been compromised.
Criminals infiltrated CardSystems Solutions Inc.'s systems using a computer virus (see "Will 40 Million Accounts Be the Final Straw?" The Green Sheet, July 11, 2005, issue 05:07:01). Not long before that, retailers Polo Ralph Lauren and DSW Shoe Warehouse suffered embarrassing lapses that exposed consumer accounts.
The consumer data breach problem has grown to the point where government regulators are likely to step in.
In June 2005, BJ's Wholesale Club agreed to settle Federal Trade Commission (FTC) charges that "its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law."
The chairman of the FTC, Deborah Platt Majoras, threw down the gauntlet with the declaration, "Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security.
"This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."
The FTC has asked Congress to "consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety. Such a requirement could extend the FTC's existing Gramm-Leach Bliley Act Safeguards Rule to companies that are not financial institutions."
The Safeguards Rule currently requires financial institutions "to implement reasonable physical, technical and procedural safeguards to protect customer information."
Each company, no matter what its role in the financial card processing chain, should have its security measures reviewed and take all appropriate steps to prevent access to consumer information.
Some might ask, won't the acquirers establish mechanisms to protect merchants? Maybe to some degree they will, but the fact is that those organizations will mostly work on protecting themselves.
It should be fairly evident that the card Associations and financial institutions engaged in the payment processing chain are intensely focused on shielding themselves from future legal and financial liability. Just as with chargeback penalties, the pain in this industry tends to flow downhill to the organizations least able to afford it.
A Solution for the POS
VeriFone, working with security software leader McAfee Inc., developed McAfee VirusScan Mobile for Verix. The solution operates in the background and is transparent to the merchant. It automatically checks for updates, so the merchant's business is never interrupted. It includes software, download, support, virus detection and routine updates of virus profiles, and won't slow down payment processing.
Anti-virus protection for the POS is a logical extension of today's advanced IP- and multiapplication-capable terminals. It will provide ISOs, acquirers and merchants with the opportunity to take full advantage of the latest technology with the knowledge that their businesses will be secure.
Anti-virus provides protection against future potential threats to Internet connected POS systems using an immediate and consistent response and creating no disruption to business. Online offenders will always be on the lookout for new opportunities to spread viruses; we all need to stay ahead of them.
Scott Henry is Global Software Product Manager with VeriFone. Call him at 770-754-3467 or e-mail firstname.lastname@example.org .