The data breach landscape could look very different in the future with the increased adoption of chip-enabled payment cards in North America — but for now point-of-sale systems account for the majority of breaches there, compared to a tiny minority in other regions of the world.
Hacked point-of-sale (PoS) terminals were responsible for 65 percent of the data compromises investigated by security firm Trustwave last year in North America, compared to only 10 percent in Europe, Middle East and Africa and 11 percent in the Asia and Pacific region. Worldwide, the company investigated 574 breaches, half of them in the U.S.
The difference between PoS breach numbers in North America and other regions is largely due to a payment card standard called EMV (Europay, MasterCard, and Visa), which mandates the use of electronic chips in cards for antifraud protection. These are also called Chip-and-PIN or Chip-and-Signature cards and they have only recently started to be introduced in the U.S. and Canada.
The chip is used to authenticate the cards to EMV-capable card readers. It also makes it extremely hard for attackers to clone the cards even if they steal the data encoded on their magnetic stripes, which is known as track data.
In regions where EMV has been the de facto payment card standard for a long time — almost a decade in Europe — fraud has shifted from transactions where cards are physically used to transactions where cards are not present, like those performed online. As a consequence, attackers there are more likely to target e-commerce websites, from which they can extract card information that can be used to perform fraudulent transactions online.
That's not yet the case in the U.S., where card track data and PoS systems remain the primary target, according to Trustwave's 2015 Global Security Report released Tuesday.
While EMV, however, can control fraud, it does not provide complete security, said John Yeo, vice-president at Trustwave. It shifts fraud to transactions in which physical cards are not used, where cybercriminals have fewer options to extract cash. Companies should not assume that with chip-enabled cards the cardholder data is automatically safe and security should be ignored, he said.
Worldwide, compromised point-of-sale (PoS) systems were involved in 40 percent of the breaches investigated by Trustwave, compared to 33 percent in 2013. The only business assets that were even more frequently targeted by attackers last year were e-commerce applications, which accounted for 42 percent of breaches.
Retail (including e-commerce retailers), food and beverage and hospitality businesses suffered the largest number of data breaches, accounting for 68 percent of the cases investigated by Trustwave — retail 43 percent, food and beverage 13 percent and hospitality 12 percent.
Sign up for Computerworld eNewsletters.