EMV Spells Holiday Trouble For Retailers

This week, EMV remained center stage in retail security news, as the battle between banks and retailers over fees and adoption of new security measures continued to play out on a very public stage. Meanwhile, a number of other security issues, some surrounding EMV, also come into sharper focus as the busy holiday retail season gets ready to kick into high gear.

Here are some of the security stories that are important for retailers right now.

Walmart CEO Says EMV Will “Wreak Havoc” On Holiday Shopping

In a recent Retail Dive article, Walmart Senior Director of Payment Services John Drechny, who was involved in transitioning the company to new EMV protocols, stated that EMV could slow down checkout lines and lead to a loss of sales during the important holiday season.

However, some experts believe there may be a silver lining should EMV readers prove to be a clunky experience for shoppers: More may be driven to adopt mobile payments.

“As long as new mobile systems meet or exceed the security of the cards that they might replace,” Nicko van Someren, CTO of Good Technology, told Retail Dive, “the barrier to adoption is always going to be whether using your mobile device can be made easier than grabbing your ‘top of wallet’ card.”

New Reason For Retailers To Dislike EMV: Long Lines

A recent New York Times article articulated some of the ongoing controversy around the shift in EMV-enabled payments for retailers. The shift in security measures and liability has pitted the retail industry against the banking industry in a battle that only continues to intensify and remain front and center in payments news.

The dispute focuses around interchange fees, which merchants pay to banks in order to process credit and debit transactions. Last year the banking industry collected $61 billion in interchange fees from merchants, while fraud only accounted for $30 billion in losses.

“The real savings is not about fraud; the real savings is about interchange,” David Robertson of The Nilson Report told an NYT reporter. While the banking industry maintains that the shift to EMV was driven by the weak security infrastructures of retailers, merchants are upset that they’ve had to foot the bill for updating their systems to read chip-enabled cards, which they say does not go far enough in protecting them and their customers against fraud.

In recent months, the fight has been taken to Capitol Hill and in front of several states’ attorneys general. In October the Georgia attorney general, along with the attorney general for Connecticut, sent a letter to their colleagues warning that chip technology was not enough; credit cards needed a PIN, too. Earlier this week, eight more attorneys general added their voices to the rallying cry in a letter to Visa, MasterCard, JPMorgan Chase, Bank of America and other institutions urging them to adopt the PIN technology. However, they stopped short of suggesting that they were petitioning for a change to the law that would make such safeguards mandatory.

The finger-pointing just continues with each side accusing the other of dragging their heels in adopting security measures fast enough; by some estimates, nearly half of retailers have yet to turn on their chip-reading devices in store, while others claim only 19 percent of cards issued by banks were chip-enabled as of the EMV deadline.

“We think the focus should be for retailers to turn on their chip readers and use the technology that’s available to them,” said James Chessen, executive vice president and chief economist at the American Bankers Association.

As the battle rages on, stakeholders on both sides will be keen to see how it unfolds, although they may have to wait awhile as both sides seem to have dug in their heels with no signs of relenting.

POS Malware Could Create A Holiday Hangover

This past week, Tech Times reported on two separate pieces of malware detected by analysts. The programs, which have been operating in stealth mode for as long as several years on the networks of some retailers, go by the names AbaddonPOS and Cherry Picker and represent some of the savviest malware detected in POS networks to date.

Cherry Picker, which may have started running malicious actions as early as 2011, originally targeted retail stores, but digital security analysts say it has evolved. The malware now features updated card-ripping capability, persistence mechanisms and anti-analysis decoys, which allow it to operate undetected on security networks. The most recent victims of cybertheft at the hands of this malware are food industry clients who use POSs for their purchases.

Eric Merritt, a security researcher at Trustwave, points out that the malware deceitfully erases evidence of its own existence after completing its work. By overwriting the files again and again, the malware goes undetected and removes evidence of itself in the system’s data logs. The malware mostly impacts those systems using Windows 7 and Windows XP by running remote admin services.

Experts from Proofpoint, a payments security company, also blew the whistle on the AbaddonPOS malware and released several statements describing in detail exactly how it works.

“Point-of-sale malware has been implicated in some of the biggest recent data breaches, striking retailers, restaurants, hospitality and organizations from a variety of industries and often targeting consumers in the United States,” Proofpoint said in a statement.

The malware uses Microsoft Office documents, which can then download a program called TinyLoader, which in turn results in the POS device being infected by AbaddonPOS.

Proofpoint warns that the holiday shopping season may lead to an increase in the number of vulnerabilities in the retail sector. What’s more, with the adoption and deployment of EMV credit card technologies, POS malware danger is likely to increase in the United States as attackers look for new ways to breach retailers’ payments infrastructures.