What’s next for data security?
According to Boston Retail Partners’ 2015 POS/Customer Engagement Benchmarking Survey, payment security ranked among the top three priorities by retailers for 2015 for the first time in 16 years. More than 63 percent of the respondents indicated payment security, and protecting the confidentiality of sensitive information is among their top-three priorities.
The emphasis on payment security is front of mind as many stores are rushing to meet the October 2015 deadline to support EMV (Europay, MasterCard and Visa). In October, retailers without EMV-capable payment terminals will be liable for the cost of fraud-related chargebacks if a lost or stolen card is used in their stores.
Ten of the retail respondents to the Boston Retail Partners (BRP) survey already support EMV-based transactions and another 65 percent plan to support them by the October deadline. The survey of more than 500 top North American retailers was taken in November and December.
Encryption and tokenization are seeing strong investments from retailers. EMV weakens the incentive for thieves to steal credit card information by requiring that the physical card (and its security chip) be present at the transaction, but does not actually reduce the risk of a breach, BRP noted.
Thirty-five percent of survey respondents indicated they are already able to encrypt credit card data at the swipe and another 45 percent plan to implement that capability by October 2015.
Likewise, one third of the respondents have implemented tokenization for payment processing and another 40 percent plan to implement it before October 2015. Tokenization enables retailers to remove sensitive information from the network. Once a unique card/transaction data is converted into a token, the original credit card number cannot be reconverted, making the data worthless if it becomes compromised.
BPS wrote in its report, "The industry seems to have moved from thinking that "it better never happen and if it does someone will be fired," to "it’s going to happen so how can we make sure that we mitigate the damage, and protect and secure our data."
A survey of around 200 retail industry professionals conducted at the NRF Big Show taken by ACI Worldwide found 39 percent have already increased investments in payment security initiatives as a result of the past year’s data breaches, while 20 percent indicated they plan to increase such investments over the next 12-24 months. ACI likewise found many weren’t EMV compliant currently.
Lynn Holland, VP, ACI Worldwide, said in a statement, "Many retailing customers with which we speak to are taking steps to address the EMV requirements, but like any major undertaking, are trying to manage this along with other payment security, IT and technology initiatives."
Discussion Questions
How confident are you that EMV, encryption and tokenization will be enough to the quell retail’s data breaches?
Personally, I’m more annoyed with the banks/card-issuers on this topic than anyone else. Retailers definitely seem to want to outsource the issue as much as possible, so that no potentially breach-worthy data passes through their hands, either because it is encrypted or tokenized, or because they never have to touch it at all. But throw in EMV and this whole “chip and signature” diversion, which significantly reduces the security benefits of EMV, and card issuers are playing a dangerous game by confusing consumers and signaling to retailers that they aren’t serious about reducing fraud.
Nothing is going to quell data breaches. Perhaps there will be fewer payment data thefts, but we seem to have moved beyond that in the past year.
What’s scarier? Fifty-million credit cards stolen from Home Depot or 50 million patient data records stolen from Anthem? Or all the stuff that North Korea stole from Sony for the purpose of blackmailing them?
Security is a process. It is now as much a part of our lives as assortment planning or supply chain management.
I certainly agree with the idea that it’s not a question of whether or not you’ll be breached. It’s a question of how quickly you’ll figure out you have been breached and mitigate damage.
Still, EMV is important, and I remain completely flummoxed at the banks’ total resistance to going to full chip-and-PIN. Why would they be opposed to another layer of security? It remains completely beyond my comprehension.
Will these measures ever be enough? The more technologies emerge with new capabilities, the more hackers will try to compromise them. There are some fantastic tools available today, as well as industry efforts to combat these threats. As in life, however, there are no guarantees.
Equating EMV with data security is like equating PCI with data security—well-meaning, but just another stab at a magic bullet.
The Sony hack proved that companies may have way more data online than they think they do. While retailers prepare for EMV, they may also want to have a third party like Verizon conduct an audit to determine what data might be lost in a breach. They may be surprised at the results.
EMV protects from counterfeit cards being used in card-present scenarios. It doesn’t address card-not-present nor does it address most breaches since by default the card data is not encrypted. Tokenization has been added to the EMV spec, but it’s not yet required.
Secure technology exists (Apple Pay is using it) but the card ecosystem (issuers, acquirers, merchants, networks) is slow to adopt it as it requires many changes to the existing systems. We’ll get there eventually, but in the meantime there will be more breaches. EMV alone is not the answer.
See Payment in the Retail Industry for more information.
This feels like it’s finally here, and even so it is probably only one step closer to “real” security. I envision “real” security as being a combination of biometric keys (iris scans, fingerprints) and encryption.
While EMV, encryption and tokenization will help to reduce the fraud and dollar value associated with data breaches related to payment information, it will not help to reduce the risk associated with the rest of the data and information that the retailer holds.
As we have seen with the Sony breach and now Anthem, there is much more data/information that can be obtained through a breach that can affect the reputation and business operations of an enterprise.
For a retailer, what are the impacts of hackers getting into supply chain systems, the HR systems and other customer information systems? As the retailer wants to engage in a more customer-centric conversation there will be much more individual customer information available to be breached.
It is important that retailers look at their data and information as a valuable asset and put processes and tools in place to ensure the security and privacy of these assets, not just the payment data.
The common approach to cyber security is like treating symptoms without getting to the heart of the problem. This is a little self-serving because I’m working in this space, but IMHO until we accept the real possibility of fault-free software, privacy and security will escape us. You might be interested in this paper published by the Information and Privacy Commission of the Government of Ontario, Canada.
This is part of the security evolution. I am confident it is good for now, but retailers need to be on top of security standards and evolve/adapt as vulnerabilities are exposed.
We are in the world of transactions which are measured by the billions per minute. The technology discussed here is not error-free and slow even for today’s central processing units. If there was much hope for this it would have been installed and used by the banking and insurance industries long ago. There are better answers with lower investment and support costs. We must also understand how the vast majority of theft occurs in all business types. The data is almost always stolen from inside the company by contractors and employees for sale to various criminal enterprises and or competitors. The public is very worried about the data losses over the past several months by what were once considered highly safe and secure retailers, but this is small compared to what is going on out there.
Data and code theft is a business second only to the illegal arms business on a world wide scale. For those of you interested in this present-day nightmare look into how many of the computer viruses and worms were originally designed by private corporations as security tools to ward off or catch system intruders and data thieves. The risks associated with doing business have never been greater but the rewards are ever more immense. Big problems happen very quickly when corporations chop IT budgets to bits with no knowledge or concern for the ramifications. After all, it is the consumer or taxpayer and never the foolishly ill-prepared leadership that always pays in the end so why worry about it?
There were over 700 data breaches in the past two years, including Target, Michaels, P.F. Chang’s, Dairy Queen, Neiman Marcus, Home Depot, K-Mart and so on.
It takes a combination of approaches to stop fraud. EMV, encryption and tokenization are important steps, but they are merely counter-moves in an ongoing arms race. Add 3-D secure, P2PE, universal publication of SS numbers, and other emerging approaches to the consideration sets. A layered approach is best.
Independent groups like Anonymous and shadow state-sponsored hackers like Guardians of Peace and Deep Panda are singularly-focused on cracking data stores and causing breaches.
Paul Kleinschnitz of First Data says it best: “Improving payment data security isn’t going to inspire a generation of cyber criminals to teach math in Belarus. If we lock the front door, they will come in through a window.”
It’s an arms race, and there is no silver bullet.