Avoiding the 'Inevitable' Breach: 4 Ways Retailers Should Amp Up Security
There's ample advice out there telling chief information officers how to build a breach recovery plan, but the key steps to avoiding such an event are not as clear.
For small, medium and large companies, the threat to both customers’ data and the company’s bottom line is real. This past August, the Department of Homeland Security announced that “Backoff,” an aggressive piece of point of sale malware, was responsible for breaches at several stores, and that it could afflict the networks of up to 1,000 other retailers.
There’s ample advice out there telling chief information officers, or CIO, to build a breach recovery plan, but the key steps to avoiding such an event are not as clear. The first move is to ensure compliance with PCI guidelines for basic data security. Beyond that, here are four steps to protect retail customers from a breach:
1. Know when to call for backup.
In today’s complex business environment, underpinned by cloud, mobile and other new technologies, it’s a real challenge to keep up with security news and monitor all potential weaknesses at all times. That can be a massive undertaking and one that shouldn’t always be left to the CIO.
After analyzing specific needs and security team abilities, the next step is deciding whether it makes sense to recruit outside help from auditors or other security experts, or if it’s time to hire a full-time chief information security officer (CISO), a person tasked with knowing about vulnerabilities and preventing them from harming business.
When Target's data was compromised, Karl Mattson, the retailer’s former global and cyber intelligence manager, argued that a CISO was the missing link. By June of last year, Target had staffed the role, tasking Brad Maiorino, who previously held CISO positions at General Motors and General Electric, with homing in on both internal and external risks and making sure key company stakeholders were always in the loop.
This staffing format allows a CIO to focus on overseeing business processes while relying on the CISO to dive deeper to ensure no security vulnerabilities are left undetected. For small businesses, bringing in a temporary consultant or part-time IT security professional should be sufficient to help minimize risk.
2. Avoid processing payments in-house.
It’s easy to understand the appeal of processing payments in-house, since businesses who do this may save a few cents per transaction. But it’s risky. Breaches have increased in frequency as more companies have transitioned to processing their own payments.
A breach at TJX in 2007 that cost the company $265 million and the recent Target breach of 2013 that totaled $148 million prove the high-risk nature of processing payments in-house. This creates a one-stop shop for hackers to access the information they’re after.
As cyber criminals get better at targeting in-house systems, the need to externalize payment processing also becomes greater. For the majority of retailers, cloud-based processing systems will add an ideal layer of security that eliminates the physical link between a customer’s card, a payment terminal and the in-store systems. The bottom line: Spend a bit more now to reduce the liability later.
3. Brush up on encryption and tokenization.
The most secure data is the kind cyber criminals can’t read. Encryption, tokenization- --or better yet, a combination of the two -- can ensure that customer information is extremely difficult to decipher. So how do the two differ, exactly?
End-to-end encryption ensures sensitive information requires a “key,” or a constantly changing numerical code to access. Data that’s in transit between point of sale systems and processing locations is effectively scrambled, making it illegible until it reaches an end point. However, effective management of encryption key access is a crucial step in keeping customer information secure.
Tokenization, on the other hand, isn’t a new practice, but it is a rising star in the payments industry thanks, in part, to the introduction of Apple Pay. Unlike encryption, it sends data from one point to another without the information ever being identified, scrambling it without the use of a key. If attackers are able to gain access to data, they still can’t view credit card numbers or passwords, but rather a fake version of the data. In many cases, the actual data is stored locally or by a third-party service, which are the only places it can be read correctly.
4. Understand and embrace emerging payment technology
The retail industry is going through significant changes right now -- from mobile payments to the adoption of EMV card processing. For the risk-averse, adding more payment options to the mix might seem like a dangerous route, but as these new tender types gain popularity, companies should support them to remain competitive. And as the threat of breaches grows, these new methods provide innovative ways to safeguard customer and business data.
With the October 2015 deadline for EMV compliance fast approaching, now is the time to implement chip-and-pin card readers. Sure, adopting the proper POS hardware and software just in the knick of time next year will avoid financial responsibility if a breach happens after the deadline but adopting EMV now means fewer gaps in stores’ security plans pre- October 2015.
With EMV’s three-pronged security system, each sale is linked to a transaction number, instead of specific credit card details, making it far more secure than traditional magnetic-stripe card payments.
Mobile is also making waves for its security capabilities. Some systems one-up not just traditional mag-stripe credit and debit payments, but even EMV. Those that access credit card information to complete purchases incorporate safety measures already in place through card providers, but they also bring the added benefit of transparency via real-time account alerts. Some also have features that help identify purchases and detect fraud early on. Plus, shoppers are likely to notice a missing phone faster than a missing wallet.
While all of the steps outlined above can play a key role in amping up security on their own, the best retail strategy blends them together. In other words, retailers can’t just pick and choose; they need to implement all of these methods to keep customer data safe.
Other tips to keep hackers at bay? Schedule training sessions and perform regular employee background checks to ensure all hardware and software is current.
And if disaster does strike, the best line of defense is a go-to approach for communicating the breach to customers quickly and effectively. After all, reputations and jobs depend on the trust of shoppers.