Fend Off Malware Trolls With Encryption

This 'evil software' is often placed in POS systems

For hackers looking to steal financial data, malware is usually the weapon of choice. Data breaches caused by malware can be devastating to a chain’s profits, image and customer security.

And they happen all the time.

There were 1,093 recorded data breaches involving more than 36 million customer records in 2016, according to the Identity Theft Resource Center, San Diego. And because many data breaches go unreported, there likely were more.

Ruston Miles, chief innovation officer and founder of Bluefin Payment Systems, Atlanta, describes malware as “evil software” placed in the point-of-sale (POS) system. The software can go undetected like a troll under a bridge. And just as bridge trolls carry off unsuspecting travelers, malware siphons off consumer data that passes through the POS system and sends it back to the hacker.

Keeping virus protection software up to date and training employees on safe online practices is important, but neither course of action will have much effect if a retailer’s POS software is already infected with malware. The key is point-to-point encryption (P2PE), which converts data into a code to prevent unauthorized access. 

“We call that devaluation—it devalues the data. That way if the hackers put malware in … all they’re going to get is useless data,” Miles said. “It’s encrypted data that they can’t get at.”

It’s important that retailers ensure that any encryption product or service is validated by the PCI Security Standards Council, a global forum on security standards for account data protection.

Unfortunately, upgrading POS systems to accept Europay MasterCard Visa (EMV) chip cards does not automatically protect users from malware infections. EMV protects against the use of fraudulent cards but is just as ineffective as magnetic-stripe technology when it comes to fending off malware.

As more businesses and their customers become victims of malware-related data breaches, Miles predicts that eventually “someone will stand up, either the brands or the PCI Council, and say P2PE is no longer optional—it’s a requirement.” Until then, it’s up to retailers to arm themselves against the evil malware trolls.