It’s still early in 2016 and we’ve already seen reports of POS breaches. I am betting that we will see the trend continue as the year progresses, due to a number of contributing factors:
1 – The pressure to adopt EMV technology will continue to draw attention throughout 2016. Most statistics point to the fact that full EMV adoption will not take place until well into 2017 or 2018. Meanwhile, attackers will be able to take advantage of retailers that are in the process of implementing EMV devices. Rushed or partial deployments that leave the POS infrastructure unprepared to run EMV properly, along with customer and merchant confusion, will make this situation even riper for savvy attackers.
2 – Attackers will continue to target ill-prepared POS systems. Although such vulnerabilities are well-documented, organizations continue to struggle with their security hygiene, so issues such as lax security configurations and weak passwords will leave many vulnerable to attack. As a result, cybercriminals will continue to successfully breach POS environments using variants of the same malware that we’ve seen with past breaches.
3 – The continued use of unsupported popular POS operating systems will leave merchants vulnerable to attack. During the last two years, three popular Windows operating systems – two of which are directly related to many major POS platforms (Win XP and XP embedded) – reached end-of-life. The vulnerabilities of these systems are still being discovered, creating another dimension of IT security risk that many merchants fail to consider seriously enough.
4 – Mobile payments and e-commerce widen the threat window. New “card not present” scenarios may present unfamiliar threats to organizations, and I believe 2016 will see an increasing number of threats targeting other types of payment systems.
5 – An increasingly complex regulatory environment will present new challenges to merchants. I believe we will see more regulations, fines and other consequences associated with payment systems as the community responds to continued threats. This is something for every merchant or payment provider to consider, and it may be time to re-assess their security policies and their ability to enforce them. Many who think they are not subject to the scrutiny of particular regulations and mandates may find they are now accountable.
6 – Lastly, but certainly not least, an increasing awareness of security will lead to more sophisticated POS malware. As more merchants embrace the inevitability of cyber-attacks, POS malware authors will continue their efforts to stay under the radar and flank security tools. New POS malware will target different segments of an organization’s environment that may be outside the conventional areas to stage an attack.
While this approach isn’t as fast and easy for the attacker, it is generally harder to detect. Malware authors are taking advantage of known exploit vectors found across enterprise systems, as well as intelligence on what has worked against POS and payment systems before.
It’s clear that POS and payment providers will have to build allegiances and share information more than ever in 2016.