Last month I had the opportunity to listen in on a webinar where George Peabody, Director of Emerging Technologies Advisory Service for Mercator Advisory Group, spoke on the importance of securing offline data that is frequently stored in and on POS servers and POS terminals.
According to his research, the #1 type of stolen data is payment card data, making it more important than ever for merchants to make sure their payment systems are up-to-date with the latest technology that meets the current PCI Data Security Standards (PCI-DSS).
“Bottom line,” said Peabody, “you don’t want to capture or store exposed data.”
While Wal-mart has been making headlines recently with their very public push for chip-and-pin adoption in the US (also known as Europay, MasterCard and VISA or “EMV” -- a smart-card technology that is largely deployed elsewhere around the world), Peabody says the truth is that we are about 5-10 years away from seeing a widespread roll-out because of the huge costs of implementation involved for merchants, issuers, and processors—leaving a lot of time to be risking exposure with our current systems. And, since the total fines and costs associated with a security breach for small merchants averages around $25,000 and up, the implications are far too great to be ignored.
However, even though the US adoption of the highly endorsed chip-and-pin technology may be years away, Peabody urges retailers who are currently planning a POS refresh to invest in a device that has an EMV or chip-and-pin reader built in because the mandate might come “sooner rather than later” saving retailers a lot of money down the road.
So, what can retailers do now to significantly reduce the likelihood of a costly security breach? For one, they must make sure that they are currently using PCI PED approved devices that protect stored and “in-flight” data on credit and debit card terminals by applying one or both of the following technologies:
- Replacing permanent account number (PAN) with proxy # for storage
- Mapping of PAN to proxy # maintained in merchant’s data center or another 3rd party facility
- Encrypt card data at POS
- Move encrypted data through security zone from merchant to processor card network
For US retailers, the responsibility to maintain card-holder security has gone from being “an international concern to a huge financial liability,” and since most retailers can’t afford to not implement PCI PED approved credit and debit card terminals, the time to discuss upgrades with your technology vendor is NOW. (NOTE: July 1, 2010 was the deadline by which non PCI PED approved devices must be removed from service.)
For more information on how tekservePOS can help you upgrade to PCI compliant technology, click here. Or, to learn more about the latest in retail technology, as well as the many issues regarding PCI compliance, click here to see the agenda of topics that was covered at tekSESSIONS in November 2010.
As always, we invite you to join our LinkedIn Group, Retail tekSPERTS, and continue the discussion. Or, follow us on Twitter @tekservePOS and “Like” us on Facebook for all of the latest developments in retail technology!