By now, even most nontechnical folks have heard about Heartbleed, but how many companies have done something to protect themselves?
In short, Heartbleed is a security bug that exposed a vulnerability found in code used to keep access to websites secure; it may have affected as many as two-thirds of servers worldwide. That means an attacker gains the ability to anonymously download random bits of memory from a server –including unencrypted passwords and low-level encryption keys used for account protection, as well as other data.
That’s scary stuff although, unfortunately, that’s the price we pay for living online.
And retailers should be concerned, especially those operating eCommerce or mCommerce portals, because it affects any organization using OpenSSL. The Heartbleed flaw allows hackers to remove personal and financial information, often without a retailer’s knowledge.
In fact, any security breaches should be of concern to retailers. Many merchants, including Target, were misled into believing their payment systems featured PCI certified point-to-point encryption (P2PE) when they did not.
Virtually no U.S. merchants today have PCI certified P2PE technology, which leaves them open to facing the same breach scenario as Target or Michaels.
So, how do you deal with Heartbleed?
Retailers need to install the available patches to fix the flaw, and then re-issue their certifications. Taking these steps will ensure that sensitive information will be protected on the retail website moving forward.
To mitigate risk for a data breach, retailers need to check with their payment provider to verify that they offer PCI certified P2PE. If your provider doesn’t offer it, consider moving to another. Feel free to contact us if you have questions too.
The pending EMV requirements make this a good opportunity for a “one-two punch” technology upgrade, since many retailers will need to replace their POS technology to accept chip and PIN cards by October 2015 anyway.
Additionally, vendors offering certified P2PE solutions will help reduce the number of PCI compliance audit points a retailer is responsible from approximately 300 to a much more manageable 19.
And change passwords for most, if not all, important business accounts, especially banking passwords.
But what should you do if a breach does happen?
Retailers should invest in a forensic team to investigate the breach and determine what happened, communicate available information on the situation to customers who may have been affected and offer information on how the organization is remedying the situation. Extending assistance to affected customers in the form of resources on identity theft and credit monitoring services also is helpful.
Finally, whether you’ve been impacted or not, stay vigilant for anything suspicious. If it’s not Heartbleed, something else surely will be coming down the pike.
If you’re looking for a few extra tips, we spoke with National Jeweler’s Associate Editor, Brecken Branstrator and shared our knowledge, so merchants can better protect themselves against breaches. The article can be accessed here.