Storing a customer’s payment details can save time, improve the customer experience and is more convenient than asking for details each time. However, a recent scandal in September saw 53 million email addresses stolen from Home Depot in the US, and put 56 million different payment cards at risks as a result.
And this is not the first occurrence of a data breach of this nature, we must consider whether it is safe, and therefore fair on customers, to store such vital information.
The attack happened because Home Depot’s self-checkout systems were infected with a unique malware that was put in placing using a third-party seller’s email address and password. The attacker used this to gain initial access to the computer system and then elevated their rights on the system until they could access the company’s point-of-sale devices.
The initial acquisition of the login details is the most crucial step to a criminal’s attack argues Nir Polak, CEO of Exabeam. He says that “Once hackers gain a foothold on the network…they can jump to different users until they get to a level where they can create their own admin credentials that enable them to deploy malware on Home Depot’s POS systems.”
Of course, Home Depot are doing the right thing in informing those customers whose details were stolen and is warning them to be suspicious of any emails they may receive that ask for any personal details. They are also introducing chip-and- PIN technology and enhancing data encryption in order to reduce the risk of the problem, but this doesn’t mean it won’t happen again.
The worrying thing is that it is not just the primary attackers that have access to these details. Much of the time they will sell the details they obtain to other criminals and they could be used to plan phishing attacks on friends, family and other contacts, too. You never know whose hands these details could get into and who they could put at risk.
Data breaches such as this are just one factor that make the storage of customer credit card data so worrying. Of course, like Home Depot, you could develop specific security measures to reduce the likelihood of such a thing happening in your business, however, the risk is never totally eradicated. Not only is this data theft an inconvenience to your company, it reflects badly upon on it and may result in lack of confidence in you from clients.
It is vitally important that, if your company will be storing any customer data, especially credit card data, you effectively encrypt it. You must do so in such a way that, if discovered by a hacker, it will be completely unreadable and useless to them.
Unfortunately, however, Armond Caglar says that “Attackers may still target retailers via vulnerabilities resident in their third-party business relationships and networks and still obtain sensitive, non-PCI data as well.”
Could this mean that no customer data or information that businesses store is ever safe?
The provision of PCI compliant processes go some way in to mitigating these occurrences, but the determined cyber-thief will always be looking to find a way around the most stringent of policies.
[Photo Credit: Sean MacEntee ]