Another point-of-sale (POS) malware attack hit Kmart last month, affecting an undisclosed number of stores and customers. This is the second breach in three years for the department store, but – as with the 2014 breach – no personal information has been compromised.
Kmart’s parent company, Sears Holdings, released a statement confirming that some of its 624 stores were “infected with a form of malware code that was undetectable by current anti-virus systems and application controls. Once aware of the malicious code, we quickly removed it and contained the event.”
Chip and PIN
Kmart released few other details of the breach, but according to Brian Krebs, who first reported the story, at least two financial industry sources have verified Kmart’s claim that the breach has not affected all its stores.
Krebs also reports that the extent of the breach looks to have been significantly reduced due to the company’s implementation of EMV technology. This is one major plus in what is otherwise another blow for the floundering department store.
Despite dwindling sales and locations closing across the country, Kmart invested in the wholesale implementation of EMV technology, which enables chip and PIN transactions in its stores. Chip-based cards are harder and more expensive to counterfeit than cards that store data on a magnetic stripe.
Any Kmart customer who made their purchase using chip and PIN cards is unlikely to have been affected and, as such, Kmart will surely feel that the cost of adopting this technology has been justified. This is in stark contrast to last month’s POS breach at Chipotle, for which the store was criticised for not implementing such measures.
Protecting your POS systems
Cyber criminals are successfully attacking POS systems with alarming regularity. The breaches at Kmart and Chipotle are only two recent examples, with fast-food outlets Arby’s and Shoney’s, restaurant chain Select Restaurants, and clothing store Brooks Brothers among those targeted this year. It’s therefore important for organisations to implement effective measures to control the risk of malware and other external threats. Ideally, this begins by creating a number of policies aligned to the PCI DSS.
Documenting your policies on these topics shows your commitment to protecting sensitive information, and it’s also a key requirement for PCI compliance.
To help you create or write these policies, IT Governance offers a PCI Documentation Toolkit. It provides PCI-compliant tools and enables you to quickly and easily create your documentation, so you can produce a robust system to protect your payment card data.