Wendy’s reports possible credit card breaches at multiple restaurants

In response to last night’s news of a customer data breach at Wendy’s, George Rice, senior director, payments at HPE Security-Data Security, commented:

“More than ever, retailers must put data security at the top of their priority lists. Common approaches to security may no longer be secure as criminals are armed with increasingly effective malware and hacking tools. At the same time, retail innovations such as EMV, mobile payments and mobile wallets enhance the customer experience but may also introduce security vulnerabilities for the merchant.

Retailers should develop security strategies that meet the highest cryptographic standards, are easy to maintain and allow for continuous advancement of the merchant’s payment ecosystem.

We recommend a data-centric approach to data security that uses format preservation. This allows for sensitive data to be protected at the moment of acceptance and remain protected throughout its lifecycle in the organisation.

Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

Fast food, and any businesses using POS systems, can avoid the impact of these types of advanced attacks. Proven methods are available to neutralize data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.

The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”

Rice offers these tips for retailers:

“Only collect customer data that you need and can adequately protect. Why do you need date-of-birth or social security numbers, for example? Encrypt or tokenize everything you determine to be mission-critical.

Protect data at the moment of submission by the customer. Criminals know to embed malware near to data acceptance points, like point-of-sale systems or web front-ends.

Only unprotect data when absolutely necessary.  A high percentage of the time, applications and users can work equally well with a surrogate value.”

Simon Crosby, CTO and co-founder at Bromium, added:

“Many Point of Sale systems have not been upgraded for years, and in anticipation of “chip and sign” changes to credit cards, some vendors have held off even longer, waiting for the latest technology before they upgrade. A simple rule of thumb: If a vendor does not support chip and sign, pay cash”