Breaches are a broken record that cry for encryption

While 2018 is just a few months old, it definitely feels like Groundhog Day when it comes to merchant breaches.

The hospitality industry saw another high-profile data breach recently at Applebee’s. According to the first report, on March 6 all 166 of the chain’s restaurants were hit with point-of-sale (POS) malware designed to steal payment card information.

Unfortunately, this is not a remarkable story. It is a tired, old piece of news that has been playing out every month since the December 2013 Target data breach.

Breaches are not a new phenomenon. They have been around since companies began transmitting and storing customer personal and financial data, and there was a market for the sale of this data. But 2017 rocked every previous year in terms of number of breaches reported, 1,579, according to ITRC, with a staggering loss of 78 million consumer records. Not only are breaches escalating across every industry, hackers are deploying more sophisticated attack vectors, including ransomware and phishing.

David Paul Morris/Bloomberg

But what makes the Applebee’s breach so frustrating is that the malware was able to find clear-text credit card information in the chain’s POS systems. Payment card-locating malware was the same attack vector used in the 2013 Target breach, the 2014 Home Depot breach, the 2015 Landry’s breach, the 2016 Wendy’s breach, and the 2017 IHG breach.

Which brings us to the age-old question we have been asking since Target. Why are companies not encrypting their customers’ credit card data? POS payment encryption products are widely available and have been for many years, from technologies designed to secure card data from the point it is entered into the payment terminal, including PCI-validated point-to-point encryption (P2PE) and its predecessor, end-to-end encryption (E2EE), to tokenization, which replaces stored credit card with a token of letters and numbers.

Every company that handles consumer financial data has only one of two choices in protecting that data. They can choose to Defend the Data or they can choose to Devalue the Data.

With the Defend the Data approach, companies build higher walls of security around their systems and networks, like adding more firewalls and intrusion detection systems, 24/7 monitoring, and constant patch updates. But in the process of maintaining such an extensive security program companywide, there may be unknown security holes that an IT staff doesn’t know about until it’s too late.

The Devalue the Data approach advocates that companies employ security technology, such as PCI P2PE, to devalue the cardholder data before it even reaches their POS, rendering the data useless to hackers if it is exposed.