Restaurant Breach Raises ConcernsIndustry Experts Call for Stronger Authentication, Encryption
Texas authorities say more than 200 people have reported fraudulent debit and credit transactions hitting their accounts after dining at Margarita's Mexican Restaurant, a Huntsville establishment located on Interstate 45 between Houston and Dallas.
Unlike the Michaels POS breach, which led to the compromise of countless payments cards across 20 states after fraudsters skimmed card details with manipulated POS devices, the Margarita's compromise is believed to have resulted from a network hack at a third-party vendor.
"This was happening through the computers at Margarita's, and it looks like someone got in to the third-party vendor that handles the credit card information," says Huntsville Police Lt. Curt Landrum. "They did not directly get into Margarita's system."
Avivah Litan, a Gartner Research vice president and distinguished analyst, says upgrading the fundamental way the payments chain operates is the only solution.
"This incident is most unfortunate," Litan says. "Restaurants are in the business of preparing and serving food, not securing card data. Some of these hacks are being undertaken by some of the most sophisticated and well-trained cybercriminals around, and even security companies cannot stop some of these infiltration tactics."
Beyond PCI: Security vs. ComplianceMerchants' card-security vulnerabilities are getting more attention, namely because of the Michaels breach as well as widely publicized skimming attacks hitting cardholders at pay-at-the-pump gas terminals in various states across the country.
Compliance with the Payment Card Industry Data Security Standard is the best way to prevent cardholder compromises, but it's not a silver bullet. [See More Pay-at-the-Pump Skimming, Pay-at-the-Pump Card Fraud Revs Up and Pay-At-The-Pump Skimming - a Growing Threat.]
"We have to assume that most criminals are going to be able to penetrate most secure systems, even those that are PCI compliant," Litan says. "So, the data they are able to steal must be useless."
End-to-end encryption is one way; adoption of chip and PIN or EMV [Europay, MasterCard, Visa standard] cardholder authentication is another. "It's time to stop shifting the security burden onto retailers and restaurants like Margarita's," Litan says. "In fact, it was time for that over five years ago. The lack of meaningful action in upgrading the fundamental and foundational security of the payment-system chain is indeed disappointing."
Gray Taylor, a security and compliance expert with the National Association of Convenience Stores, says NACS has been pushing its member merchants to focus more attention on POS security. But public awareness and media attention have fueled concerns about a problem the retail and financial industries have been battling for years.
"We're in an imperfect world. The average convenience store paid about $9,200 to become PCI compliant," Taylor says. "It takes a lot of investment to lock down a c-store, but with authentication and encryption, we can focus our security efforts where it really matters."
With the spirit of that security effort in mind, PCI compliance is not necessarily where attention should be paid. "They've all turned off Wi-Fi, because we said it's just not worth it," Taylor says. "Even if you have PA-DSS compliance and use LAN [a local area network] but don't change the passwords on your connection, then you are wasting your time and money. Putting in a secondary firewall and securing the LAN takes care of about 80 percent of the problem. ... We are telling operators it's not about compliance; it's about risk reduction."
Jerry Silva, founder and financial-services technology strategist for PG Silva Consulting, agrees fundamental changes to the payments scheme are needed; but making those changes could prove more challenging than most card issuers and transaction acquirers think. Data breaches are nearly daily occurrences, and restaurants and other merchants are increasingly targeted by fraudsters, since they've been pinned for having lax security measures. "It's almost like we need a different model, like federated security," Silva says. "The process we have in place is not working."