There’s generally not much love being lost between credit card companies and providers of retail services that rely heavily on credit card transactions. The credit card companies recently began embedding chips in their cards that forced every retailer to upgrade their point-of-sale (PoS) systems at great expense. The theory is that credit cards embedded with chips will result in better security because the data on the card is encrypted. However, regardless of whether a credit card has a chip every card still has a magnetic stripe on the back of the card. This was intended to make it simpler for retailers make the required PoS system upgrades over an extended time. After all, not everyone could be issued a new card overnight. It also turned out the PoS upgrade process has been deeply flawed.
Cybercriminals, in the meantime, have become a lot more adept at dropping malware directly onto PoS systems that are increasingly connected to the Internet. In the case of Intercontinental Hotels Group (IHG), parent company for hotel properties such as Holiday Inn, Crowne Plaza, Kimpton and, of course, Intercontinental Hotels, it’s now being reported this week that PoS systems at 1,200 of the company’s properties had been infected by malware for several months before being eradicated. IHG is now experiencing all the joys associated with malware breaches, which include not just the cost providing credit checks for potentially affected customers but also financial damage to its corporate brand that results from ongoing media coverage being generated around the world.
The issue in many IT security professionals’ minds, of course, is why is credit card information still resides on a magnetic strip that has proven to be vulnerable time and again. If there’s a chip on the card there’s no need for a magnetic stripe. There may still be credit cards that don’t have chips in use today. But given the number of PoS systems now connected to the Internet, it should be obvious to all that those systems are going to be especially tempting targets for cybercriminals. That means it’s now incumbent on the credit card companies to eliminate all those magnetic stripes on cards that might still be in use with all due haste.
Of course, that also means retailers need to make sure the data they are storing remains encrypted as well. Retailers like to hold on to credit card data in case they need to either charge for additional services or need to refund a purchase. The trouble is that many of them don’t want to go to the expense of employing a third-party service to better secure that data. The result is a situation that is ripe for exploitation by cybercriminals that can now access PoS systems from almost anywhere in the world.
That sad truth of the matter is that the relationship between retailers and credit card companies today borders on the dysfunctional. But given the fact that both parties share a common cybercriminal enemy the time may have come to put all that acrimony aside in the name of much greater need to protect customer data.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.