For as long as customers have paid for goods and services, criminals have attempted to get their hands on shoppers’ hard-earned money. As payment methods evolved from simple cash exchanges to credit and debit payments, the tactics criminals employed became more sophisticated.
These days, shoppers and retail brands need to worry less about physical robberies and more about cybercrime. Instead of armed robberies, today’s crooks use digital blunt force attacks, point-of-sale (POS) attacks and card skimming techniques to pull sensitive data that can include customer credit or debit card numbers.
“There has been a definite evolution in POS attacks from simple storage scraping to active RAM skimming across all breach types,” wrote the authors of the Verizon 2015 Data Breach Investigations Report. “We can, however, see distinct differences between large and small organizations in the methods used to gain access to the POS devices. For small organizations, the POS device is directly targeted, normally by guessing or brute-forcing the passwords. Larger breaches tend to be a multi-step attack with some secondary system being breached before attacking the POS system.”
Although other industries experience more data breaches overall, according to the report, retail-focused attacks can grab millions of consumers’ payment information and create headaches for shoppers, stores and payment processors.
The worst news for retailers: It is difficult to win back customer trust after losing payment data to hackers. In fact, more than half (54%) of U.S. consumers said they would never, or would be very unlikely to, purchase from a retailer that had experienced a data breach where financial data was stolen, according to research from SafeNet. Retailers including Home Depot, Neiman Marcus, Staples and Target should find this especially troubling. They have all experienced high-profile data breaches involving customers’ credit and debit cards.
The good news for retailers, however, is that there are a number of security technologies available to help them lock down their customer records. The National Retail Federation (NRF) recently outlined six proposed solutions to help combat data breaches. These include:
- Expanding consumer liability protection for using debit cards;
- Issuing PIN-and-Chip cards that incorporate both computer microchips and use of a personal identification number (PIN) to authenticate transactions;
- Adopting end-to-end data encryption throughout the payments system;
- Developing open source, competitive tokenization standards;
- Passing a uniform nationwide breach notification; and
- Bolstering federal law enforcement investigation and prosecution of cybercriminals.
“We should not be satisfied with simply determining what to do after a data breach occurs,” said David French, SVP for Government Relations at NRF. “Instead, it is important to look at why such breaches occur and what the perpetrators get out of them so that we can find ways to reduce and prevent not only the breaches themselves but the follow-on harm.”
Members of the entire retail ecosystem, which includes shoppers, banks, retailers and payment processors, are now taking many of these necessary steps to prevent future data breaches and minimize the damage of the ones that occur.
EMV Liability Shift Approaches
There is a big shift in payments afoot. While other security technologies, like encryption and tokenization, are transparent to consumers, this one requires their input. In October 2015, shoppers say goodbye to swipe and sign, and retailers assume liability for fraud if they have not updated payment terminals to accept cards that meet Europay, MasterCard and Visa (EMV) standards.
“Chip card security features make the chip payment data virtually impossible to use for counterfeit card fraud and greatly lessens the effects of payment data breaches,” said Randy Vanderhoof, Executive Director of the Smart Card Alliance, a multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. “So countries that have implemented chip technology have seen counterfeit card fraud drop by as much as 72%. Every U.S. card issuer and merchant today has a choice of when and how to implement chip technology with the knowledge of the prospective fraud liability shifts ahead.”
EMV payments use a microchip embedded in credit and debit cards to supply payment information to vendors. Stores could also ask shoppers to provide their Personal Identification Number (PIN) to complete the transaction, rather than the signature method commonly used in the past.
But EMV will not succeed in eliminating cybercrime as a standalone solution. “EMV is extremely effective in eliminating fraud that stems from counterfeit payment cards, but the implementation of EMV alone does not protect the entire payment transaction process,” said Andrew B. Morris, SVP Content & Business Development for Money2020, in a blog post.
Although this payment method might not be 100% secure, it does provide levels of security previously unseen in the U.S. In fact, the new security measures are sufficient to force a fraud liability shift. In the past, banks were responsible for the costs associated with fraud. In October, the liability shifts to the party that uses the lesser technology. This is why many card issuers already have begun sending customers chip-embedded cards. If both parties upgrade, the liability remains with the card issuer. In short, retailers must adopt POS terminals ready to accept EMV payments or foot the bill for fraud.
Unwilling to bear this liability, many retailers are scrambling to update their equipment. In fact, 59% of U.S. POS terminals will be capable of accepting EMV payments by the end of 2015, according to the Aite Group report, EMVelocity: Outlook For POS Re-terminalization And Mobile Payments. Larger retailers should lead the upgrade charge, but the report suggests that up to one third of smaller merchants are unaware of chip cards. Fortunately, there is help available to increase awareness and adoption for smaller merchants.
American Express, for example, offers a Small Merchant EMV Assistance Program that provides a $100 rebate to merchants who upgrade POS terminals. The cost of upgrading to an EMV-compliant terminal can be as little as $120, so this program drastically reduces the financial hit for SMBs.
“Unfortunately, many small merchants do not know about EMV or what they need to do to take advantage of it,” said Anré Williams, President of Global Merchant Services at American Express. “We created the Small Merchant EMV Assistance Program to help them. By providing financial and educational assistance, we hope small merchants more quickly adopt EMV so they can ensure their customers feel safe when shopping at their stores.”
The Most Secure Measures Remain Transparent To Consumers
Additional payment security measures take inspiration from espionage methods. Encryption, for example, utilizes algorithmic schemes to transform plain text information, such as a credit card number, into ciphertext (non-readable text). Although thieves could still intercept data, it is useless without a “key” that uses a separate algorithm to translate, or decrypt, the information and return it to the original format.
For example, thieves can intercept payment data as it transmits from a card reader to the POS or a retailer’s central server. Without encryption, credit and debit card numbers remain vulnerable. With encryption, those thieves receive indecipherable gibberish.
Retailers and payment processors seeking to encrypt payment data can use either:
- Session encryption, which encrypts the communication path of the data (i.e., from a shoppers computer to an e-Commerce site); or
- Data encryption, a more secure method that encrypts the information transmitted (i.e., the shoppers credit card number) and requires either a single key or multiple public and private keys to translate the ciphertext.
“Encryption of either data itself or the transmission path the data takes along the network, or both, can vastly reduce the vulnerability of the data, which in turn reduces a merchant’s business risks,” wrote Tim Horton and Robert McMillion in First Data’s A Primer On Payment Security Technologies: Encryption And Tokenization.
Tokenization is an additional security measure that substitutes payment data with a random number that is useless to anyone who intercepts it. For example, when a customer pays with their credit card, a centralized server receives the authorization data and generates a random number. Merchants receive this number and use it as a substitute for the actual card number.
Currently, Apple Pay is the most high-profile adopter of tokenization technologies. Apple Pay requires users to load and authenticate credit cards for use with the mobile payment app. Because card issuers already authenticated the payment method, when users tap and pay for goods or services they actually create a one-time use code that authenticates payment for the merchant. Neither the merchants nor Apple receives a customer’s actual credit card number.
Although the technology solutions mentioned here reduce security vulnerabilities, criminal methods constantly are evolving. To help retailers stay ahead of the game, NRF and other industry organizations continuously update security guidelines to reflect current trends and standards. By keeping up with these guidelines in an effort to create the most secure payment environment possible, retailers can move the needle on protecting both their customers and their brand.
Part 2 of the report, 2015 Retail Payment Update, will appear in the April 28 newsletter.