How consumers pay for products and services evolves just as rapidly as the products and services they're paying for. Case in point: mobile payments, the combination of payment cards and wireless technology that facilitates monetary transactions. Mobile payments can reduce transaction costs for buyers and sellers, and reduce the costs of circulating a cash supply – hence the growing popularity. However, this new payment technology presents many security challenges that must be addressed by merchants to keep customer data safe.
It's not just goodwill driving security initiatives for payment technology, compliance with the Payment Card Industry's Data Security Standards (PCI DSS) mandates that organization protect consumers. PCI DSS applies to any organization that stores, processes, or transmits cardholder data, and consists of a minimum set of security requirements and testing procedures designed to encourage and enhance cardholder data security.
Merchants in violation of PCI DSS can face hefty fines from payment brands (e.g., American Express, MasterCard, and VISA) and even lose the ability to process payment cards for goods and services. Additionally, if a consumer does make a purchase via mobile payment and their information is compromised (i.e., cardholder data), the merchant may be liable (especially if they do not proactively comply with standards).
Further, if adequate safeguards are not followed to meet PCI standards, consumers may perceive that payment card information is at risk and choose not to use a merchant's infrastructure. If people lose faith in the security of a payment system, they will stop using it and the system will eventually become useless. Merchants accepting payment cards need to comply with the PCI DSS to ensure they have implemented proper safeguards to protect cardholder data and secured their points-of-sale from attackers and intruders that put customer data at risk.
Today, there are three main types of threats that attackers use to capture and exploit mobile payment cardholder data. Fortunately, with a strong wireless intrusion prevention system (WIPS), merchants can detect and combat these threats and keep themselves and customers safe. Here are the top 3 most frequent and dangerous attacks and what merchants can do to protect their wireless LAN (WLAN) network:
1) DoS Attacks on WLANs
Denial of Service (DoS) attacks flood data networks with malicious data that can infect mobile devices with malware that may destroy, modify, or compromise cardholder data. DoS attacks are designed to disrupt wireless services by exploiting vulnerabilities in wireless connections at the physical and data-link layers. For example, RF jamming devices with powerful antennas can disrupt a mobile payment system from inside or outside the boundaries of a store.
Wi-Fi Point of Sale Terminals (POSTs), whether they are smartphones or vending machines, are susceptible to DoS attacks because the RF communication that sets up and maintains network and device connections can be spoofed – it has no encryption mechanism. Wireless attackers disrupt services to mobile devices by continually transmitting disassociation or de-authentication notices to phones that appear to be from legitimate access points. In effect, the phone will try to re-establish services, or re-authenticate, only to get immediately disconnected, over and over again.
Wireless intrusion protection systems can monitor and detect critical intrusions that may compromise cardholder data security or disrupt wireless payment operations.
Combatting WLAN DoS attacks: Organizations can deploy wireless intrusion protection systems that monitor and detect critical intrusions that may compromise cardholder data security or disrupt wireless payment operations. These systems detect attacks by continuously monitoring the Wi-Fi communication, tracking wireless connections and associations to store access points, and analyzing the RF environment for transmission sources that could disrupt communications or are from malicious devices. When attacks are identified, the WIPS will generate an alert so that IT security operations can immediately remediate the problem.