Avoid Being the Next Target for Payment Malware

For millions of Americans since November, the idea of credit card transactions processing is a source of stress and fear. It started with Target, who announced that thousands upon thousands of shoppers were in danger of having their credit card numbers stolen and sold on the Internet after their system was hacked. Not two months later, an announcement came down the pike that Neiman Marcus and Michaels had been hit with the same virus. The FBI has announced that this may be only the beginning of a wave of retailer hacks that will hit over the next year; the virus is insidious and as yet hasn’t been cracked, though teams of experts are working to pull it apart.

Point of sale (POS) systems are particularly vulnerable to attack and are a prime target for malware because they are a regular source for credit card transactions processing and tend to carry a wealth of valuable information through each swipe of a magnetic strip. They also, by their nature, tend to be far less secure than traditional computer systems. Many solutions have been put forth, including replacing current systems with Internet-based mobile wallet systems, or current mag-strip cards with more advanced cards that use smart chips to store data. These fixes, unfortunately, are a long way off, and for many retailers and shoppers, the immediate future looks scary and bleak. However, there are steps a retailer can take to reduce vulnerability against these sorts of malware attacks and help to protect shoppers until more permanent defenses are available.

The first thing retailers should do is work with their system vendor to make sure that the most current software is running on their point of sale system, including any patches or software upgrades. Make sure that your contract specifies that the vendor must test and confirm the functionality of any updates as soon as they become available.

Secondly, ensure that your software is certified to the Payment Application Data Security Standard and that it is properly set up.

Next, and one of the most basic pieces of security advice, is to use multiple layers of protection against viruses and malware. If at all possible, install protection directly onto the terminal used to swipe cards, the point of connection between the network and the Internet, on workstations, servers, anywhere that there could feasibly be a vulnerability. Change passwords regularly, especially when reports of a new attack come in, and use different usernames and passwords for different points in the software processing chain. Have your IT department set up automated alerts that will notify you and them whenever there is any sort of suspicious activity on the network.  File integrity monitoring software exists that can fulfill this function, and should be leveraged as an important technology moving forward.

Finally, there is absolutely no substitute for training and education. Train your staff to be vigilant about how these sorts of malware work, to watch out for phishing scams that are often an entry point for malware, and what to do when they see suspicious activity; this will be your first and most important line of defense in keeping your credit card transactions processing system safe.