Actu
Wendy’s POS data breach larger than first reported - expert comment
June 2016 by
It is being reported that Wendy’s credit card breach is larger than first thought. Originally less than 300 of the company’s 5,800 locations were impacted. This afternoon Wendy’s said the number of stores impacted by the breach is "significantly higher" and that the intrusion may not yet be contained.
If you are planning on covering this news, please see below for commentary from George Rice, senior director, payments at HPE Security - Data Security:
“More than ever, retailers must put data security at the top of their priority lists. Common approaches to security may no longer be secure as criminals are armed with increasingly effective malware and hacking tools.
Retailers should develop security strategies that meet the highest cryptographic standards, are easy to maintain and allow for continuous advancement of the merchant’s payment ecosystem.
We recommend a data-centric approach to data security. This allows for sensitive data to be protected at the moment of acceptance and remain protected throughout its lifecycle in the organisation.
Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale. And unfortunately, POS systems are often the weak link in the chain — they should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
Fast food, and any businesses using POS systems, can avoid the impact of these types of advanced attacks. Proven methods are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online. Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organisation handling card payment data.
The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The attackers get only useless encrypted data.”
Rice also offers these tips for retailers:
“Only collect customer data that you need and can adequately protect. Why do you need date-of-birth or social security numbers, for example? Encrypt or tokenize everything you determine to be mission-critical.
Protect data at the moment of submission by the customer. Criminals know to embed malware near to data acceptance points, like point-of-sale systems or web front-ends.
Only unprotect or unencrypt data when absolutely necessary. A high percentage of the time, applications and users can work equally well with a surrogate value.”
