LAS VEGAS -- Protecting credit-card numbers from increasingly savvy hackers can be a daunting task, especially for single-store operators without the IT knowledge and personnel.
But retailers, regardless of their resources, must still do what they can, considering how credit-card data theft was an $8 billion industry last year.
"With that number, people will spend $2 million to write [the malicious] software that pulls data even before it's encrypted," said Brad Cyprus, chief of security and compliance for VendorSafe Technologies, Houston. "Modern malware captures credit-card data and sends it over the Internet."
Hackers are writing software specific to point-of-sale (POS) systems. And if allowed to enter the network where credit-card data is housed, it may be stealing numbers without leaving any signs for retailers to spot, Cyprus told about 100 attendees at an educational session Sunday at the 2012 NACS Show in Las Vegas.
One of the main mistakes he still sees in his line of work is retailers who allow employees to go onto the Internet from the same network that the POS rides on.
"It's a huge majority of small operators," Cyprus said. "It's a problem that spending $300 on a separate computer will solve."
He suggested other steps as well, inclusive of having third parties run "external vulnerability scans," where they essentially try to break into a retailer's system using any number of hacking techniques. Another step is to consistently monitor results of these scans and fix issues. It's a follow-through step that some retailers fail to do.
Other speakers on the panel contributed suggestions as well. Shekar Swamy, president of Omega ATC, St. Louis, stressed that systems deemed compliant with Payment Card Industry or PCI standards need to be updated and kept current. In many cases, vendors send out "patches" or updates to software. Retailers must be diligent about running these patches and making sure all software is current.
Cyprus agreed, noting how JAVA, a well-known and widely used programming solution, issued a patch when it discovered a vulnerability in its product. Users who failed to install the patch were essentially vulnerable to hackers, he said.
Take care of the basics, Swamy said. Install a firewall that will identify and fend off intrusions. Consider two-factor authentication, especially if staff has remote access to programs--possibly a password plus either a key fob or a smartphone application that triggers access. And most importantly, he said, keep the POS network separate from other systems.
"Some people are putting it in a separate, closed environment," he said.
Taking steps such as these allows the ability to track who's entering the system and when, Swamy said. Agreeing, Cyprus noted that breaking down access to indicate specific uses--vs. all authorized users going in under an "admin" user name--is part of the solution, as is restricted, tiered access with some people having a certain level of access and others more based on what's needed.
Finally, Liz Garner, director of commerce and entrepreneurship at the National Restaurant Association, said restaurant operators, many of whom run single locations, encounter the same challenges and concerns that convenience store retailers do. She said for those retailers, cost represents a huge barrier to compliance and overall data security.
Adding another facet to the evolving issue of security is mobile payment, she said. It's an emerging threat retailers need to be aware of.