McAfee reports on the growing risks the industry is facing with both legacy and newer point of sale systems (POS), finding that retailers need to be more than simply PCI DSS compliant to protect consumer data.
“The industry is very fragmented with a large base of smaller merchants utilizing secondary market or used point of sale systems,” said Kim Singletary, director of retail solutions marketing at McAfee in a press statement.
Part of the problem: 38 percent of all retailers still run DOS or a legacy Microsoft Windows operating system, according to the 2012 IHL North American Retail POS Terminal Market Study.
This has spawned an environment where POS systems are updated too infrequently, creating vast windows of opportunities for criminals to find and exploit vulnerabilities. Once a new vulnerability is located, businesses using the same types of systems can be easily identified and targeted for attack. The vulnerabilities with POS systems that are not regularly updated increase the likelihood that consumers’ cardholder and personal data is at risk, according to the report.
The report also found that while larger retailers are consistently up-to-date in their PCI DSS status, smaller ones often let the issue slide (as evidenced by this compliance table).
McAfee recommends that consumers that the lead on researching a merchant's compliancy status in order to gain visibility into how the merchant protects customer information. They also suggest that merchants move beyond the PCI DSS standards towards a more "active" security approach, exploring advanced technologies like whitelisting, integrity control, and hardware-assisted security to defend against the persistent threats they face every day.
“Merchants who do not have a broader security and privacy focus are leaving themselves vulnerable to susceptible systems and processes. If security, compliance and privacy adherence were more transparent to consumers, then retailers could look at these things as business differentiators rather than obligations,” added Singletary.
Full report can be downloaded HERE. [PDF]