July 22, 2018 by Greg Meckbach
Computer systems that many retailers use to accept payment and manage inventory can pose a liability risk if they store credit card numbers, and the “ultimate” solution could be expensive.
Many “point-of-sale” systems are installed on computers running Microsoft Corp.’s Windows operating system, suggests Nicolas Beique, founder of Calgary-based payment processing vendor Helcim Inc.
“They [retailers] have to make sure those computers are secured, so there are no viruses or malware, and [that the software] is kept up-to-date,” Beique said Wednesday in an interview with Canadian Underwriter. “A lot of times that is not the case.”
Companies committing cyber security breaches can be sued by customers whose credit card numbers fall into the wrong hands. This is the case even if the companies are innocent of any wrongdoing, and even if the customers do not suffer losses due to fraud. Some cyber insurance policies cover the costs associated with such breaches.
Many retailers “are running really old versions of Windows, they haven’t been updated in a while or they or don’t even have anti-virus,” Beique warned. This is the “most common way” for fraudsters to access credit card information on point of sale computer systems.
Retailers whose computers have been hacked by fraudsters include Hudson’s Bay Company, Home Depot of Canada Inc. and the firm that operates Winners and HomeSense.
HBC announced in April that it had discovered computer malware on point-of-sale systems at Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor stores. In HBC’s case, the malware was designed to collect cardholder names, payment card numbers and expiration dates.
Home Depot Canada paid six figures in 2016 to settle a customer class-action lawsuit filed in Ontario.
Ten years earlier, Framingham, Mass.-based TJX Companies Inc. (which owns Winners and HomeSense stores in Canada) was targeted by criminals who took advantage of the TJX stores’ WiFi computer networks. Some of those wireless networks had not been upgraded from wired equivalent privacy (WEP) to WiFi Protected Access (WPA), the Office of the Privacy Commissioner of Canada said in 2007.
“When you see those headlines of ‘Company A lost X-million credit cards,’ that’s usually because there has been malware installed on those point of sale computers,” Beique told Canadian Underwriter, commenting in general and not on any particular breach. In these instances, hackers are able to get valid credit card numbers simply by getting those numbers from the retailers’ computer systems.
The solution is simple – at least in theory.
The ultimate thing retailers can do to protect customers’ payment card information is to have end-to-end encryption, Beique said. The credit card number gets converted into a secret code, so the hacker trying to read the number will only see gibberish.
“At the time you swipe or insert the chip for that transaction, that pin pad or terminal actually encrypts it right there,” Beique explained. “What [the card reader] sends through to the point of sale is an encrypted message, so the point of sale cannot see that credit card number.”
End-to-end encryption is “something that big franchises and retailers are aiming for, but it’s still fairly new,” said Beique. “ I would not say the majority of deployments are like that.”
This is because many established retailers would have to rip out and replace obsolete systems. “[Their existing point-of-sale systems] might be programmed to look for a full card number and might not know how to handle anything else,” said Beique.