STAMFORD, Conn. -- Using a credit card at a gas station could pose more of a risk for data theft than shopping online, as point-of-sale (POS) terminals have emerged as a weak link in the security chain, said the IDG News Service, citing a Gartner Inc. analyst.
When a card is swiped, POS terminals often collect and store the data held in the magnetic stripe on the back of a credit card, said Avivah Litan, a Gartner vice president and analyst. Retailers are often unaware that their POS applications collect so much information, said the report.
In the hands of sophisticated hackers and counterfeiters, the data collected from the magnetic stripe is enough to create a replica card. "It's almost more dangerous to go to the gas station than it is online," Litan said at Gartner's Identity & Access Management Summit in London on Monday. "The data is just sitting there. No one even thought about what data is on a POS controller."
Retailers' network configurations are partly to blame. Many are using the Internet to transmit data in place of dialup networks, and many have incorporated wireless access points into their networks using WEP (Wired Equivalent Privacy), Litan said, which is not considered a strong form of encryption.
Hackers lurk in parking lots looking for weak networks to penetrate. Since the POS terminals are linked via IP, once a hacker has accessed a network they can try out neighboring IP addresses until they locate a store of data, Litan said.
Data breaches that occur offline are common, the report said. Of 160 breaches investigated for one major credit card brand, 128 took place in the brick and mortar world where the card was physically present for the transaction, rather than being used online or over the telephone, according to Gartner.
To strengthen security, card brands such as Visa and MasterCard are pressuring retailers to comply with the Payment Card Industry (PCI) Data Security Standard, a code of best practices created by the card industry. The standard forbids the storing of magnetic stripe data on POS terminals, and Visa plans to start fining retailers in the coming months if they do not comply, Gartner said.
Implementing security is cheaper in the long run than having a data breach, which can be expensive and hurt a company's reputation, said the report. Gartner calculates that a data breach costs companies around $300 per exposed account because of investigations, fines and lawsuits. On the other hand, beefing up security costs around $16 per account for the first year, and that cost falls over time, according to Litan.
The short-term forecast for POS security does not look great, however, said the news service. Gartner predicts that by next year, most attacks against retailers will be directed at their POS terminals, and only 30% of POS software will be compliant with the prevailing security standards by 2009. "The thieves always find the path of least resistance," Litan said.
Meanwhile, pay-at-the-pump technology ranked No. 9 on USA Today's list of 25 Eureka Moments that have changed the lives of American since 1982. The list was topped by cell phones, followed by laptop computers, the BlackBerry, debit cards, caller ID, DVDs, lithium rechargeable batteries, iPods and pay at the pump. Lettuce in a bag rounded out the top 10. Click here to view the complete list.
For an in-depth look at how identity theft is affecting retailers, watch for the July issue of CSP magazine.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.