Retail Data Security Breaches
Increased Consumer Concern Over Credit Card Privacy at Online and Offline Retailers
Over the past few years, the personal information of millions of credit and debit card users has been jeopardized through data breaches at major retail stores, causing heightened concern and loss of sales. Retail Federations, such as the NRF, claim that the primary reason why credit card data is so easily stolen is because the U.S. financial industry still uses 1960s technology while criminals have quickly adapted to the 21st century. Let that sink in.
Despite retailers’ current efforts and the recent transition to chip-and-PIN cards and EMV-compliant POS hardware, consumers still feel wary about the safety and data security of their credit and debit cards. And we don’t blame them. Just in 2015, it was reported that close to 780 million data records were compromised as a result of 1,632 security incidents. With news outlets constantly spitting out information on retail data breaches left and right, it’s no surprise the possibility of future incidents is top of mind.
Unlike furry key chains, data security is no passing trend for consumers as many believe retailers could be doing more to keep their data secure. Many are willing to go so far as to stop shopping at retailers who are unable to protect their data. This means millions, and we would go so far as to say, billions of revenue down the drain if retailers don’t act and take these concerns seriously.
We came across a recent study conducted by KRC Research in April 2014. The research polled 2,005 Americans ages 18 and over who regularly use one or more credit cards, and was conducted via a 12-minute survey online. Below is a short summary key consumer concerns and what retailers need to do to protect their shoppers and their businesses.
First, let’s begin by summarizing the top consumer data security concerns…
- There is a widespread heightened awareness and concern regarding recent data breaches at major retailers, causing changes in consumer shopping habits and expectations.
Aided Awareness of Retailers Data Breaches
Awareness of recent retail data breaches is nearly universal. Nearly all (9 out of 10) consumers say they have heard about credit or debit card breaches at major retailers over the last several months, with the breaches at Target (95%), Michaels (39%) and being the most memorable. Consequently, these well-known data breaches have impacted sales; Target suffered a 46% drop in profit in the fourth quarter of 2013 that has been widely attributed to its data breach.
This widespread awareness has also had a large and potentially lasting impact on consumer concerns and behaviors. Nearly 7 in 10 report being more concerned about data security now than they were six months ago and 6 in 10 say they are now paying more attention to retail-related data security news. In other words, consumer sensitivity is heightened and major retailers suffering a breach may encounter reputational damage as a result.
Likely as a result of this heightened awareness, only 36% of consumers currently feel extremely or very secure paying with credit cards and only 32% feel the same way about paying with debit cards. This has broad economic implications for businesses, as economic and psychological research has long shown that consumers tend to spend more when paying with credit cards than when paying with cash.
Personal Information Safety Assessment
Unfortunately, few are optimistic about the future of data security. In fact, a majority of consumers (6 in 10) fear that the number of data security breaches such as those that happened at Target and Michaels are going to increase over the next year. This suggests that in order to prevent any further loss of customers, retailers must act quickly and deliberately to inform the public about the steps they are taking to ensure the security of their personal data.
- Consumers take data security issues very seriously, and they want retailers to do the same.
Personal Security Concerns
93% of consumers say they are concerned about the security of their personal credit and debit card information. To put this in perspective, that is higher than the number who say the same about the privacy of their online communications (86%), their health (84%), the state of their retirement savings (81%), or losing their cell phone (63%).
Consumers want to know that the retailers they shop at take their data security seriously. 81% of consumers say they would be angry to learn that their favorite retailer was not already using the best available technology to protect consumer credit and debit card information.
Estimated Cost of Recovering Stolen Identity
Some of this concern might exist because consumers see recovering a stolen identity as a burdensome and expensive task, with six in ten believing that this process would cost them more than $1,000. With consumers believing this is such an expensive problem, it is even more important for retailers to ensure customer data is as secure as possible.
Specific Data Security Concerns
Consumers are willing to take action to safeguard their data. They report a willingness to change their shopping behaviors by either forgoing credit and debit transactions (76%) or entirely avoiding a particular retailer (38%) if they had personally suffered from a data breach.
Target has experienced the impact of this feeling firsthand: the percentage of US households shopping at the retail giant fell from 43% in January of 2013 (before the breach was made public) to 33% in January 2014, after the news broke.
- Consumers are wary of existing data security practices and think that retailers can and should be doing more to protect their data.
Most consumers hold retailers at least somewhat responsible for the data breaches they experience. An overwhelming majority (80%) think that retailers could be doing more to protect their personal credit and debit card information.
To ensure the safety of their personal information, consumers favor strict regulations on retailers to ensure that breaches are avoided and that all necessary precautions are taken. 95% support national information sharing standards in the event of a data breach. 93% support reasonable government mandated data security safety requirements.
What’s shocking to note is that according to Dark Reading, only 10% of retailers haven’t reported any cyber security exposure in documents filed with the Securities and Exchange Commission since 2011. Even then, only 9% recognize outsourced vendors as a possible threat source and less than 10% have purchased insurance to cover any accidents and exposures. Strictly speaking, retailers don’t seem too concerned with data security.
- Data encryption technology is seen as a promising safeguard against the loss of personal credit and debit card information.
Simply having solid response measures in place in the event of a data breach may not be enough, according to consumers. They want retailers to be proactive in preventing data breaches, taking steps such as employing the best available technology to secure customer data. One particular solution that consumers see as promising is encryption technology.
9 in 10 consumers see encryption technology as a very appealing service that a retailer could offer to protect consumer data (with 6 in 10 saying it is very appealing). By comparison, only 46% say that fraud and identity protection services are very appealing.
When told about Point to Point Encryption technology, 97% of consumers say that they think it could help protect their information from theft. Consumers are even willing to change their shopping behaviors at retailers that incorporate this technology, with more than 8 in 10 reporting a willingness to shop more frequently at those stores. Half of consumers are willing to pay more for goods and services in return for the peace of mind of knowing their information is secure.
- Consumers expect a proactive approach when it comes down to data security.
Consumers are looking for more notifications from retailers, with nearly all believing that companies should disclose the occurrence of a data breach to their customers. Most believe this is currently a requirement.
Consumers strongly agree that there should be a national standard for reporting on data breaches and say that the government has a role to play. To a slightly lesser extent, consumers also agree that companies should be investigated for deceptive or unfair trade practices if they fail to protect consumer data.
Challenges Retailers Experience in Protecting Cardholder Data
“Hackers are typically looking for one thing…money; and credit card data means access to money. So, ‘Why is it so hard to protect cardholder data?’ because of a number challenges,” said Vantiv’s Vice President of Security and Risk Products, James Zerfas.
“Cardholder data is operational (authorization requests, data analytics, customer support, settlement, etc.), which means that at some time a person or system will need the data we’re trying to protect. Security and breach prevention would be easier if the only requirement was to protect the data. But, by purposefully ensuring that the data is accessible for operational reasons we are also ensuring that the data is automatically more vulnerable,” James continues.
Additionally, “systems are dynamic, not static, and logistically difficult to manage across multiple locations that span towns, states, regions, and even countries. Once a vulnerability is discovered, the ability to address it consistently and instantaneously is inherently problematic.”
James concludes by stating “not all risk is systematic; there will always be a human element… cameras, external skimmers, bad policies, poor training, fraudulent employees, are all non-systematic ways cardholder data is lost.”
What are the next steps for retailers? How can retailers overcome data privacy and security challenges to protect their bottom line?
Strategy and Education Go Hand-in-Hand
Retailers beginning to focus on data security can start by establishing an in-depth security strategy and by creating a workplace culture of innovation. “There are two key factors which must be taken into consideration when protecting customer data: infrastructure planning and employee education,” said Kevin Glendenning, President at Starnix Inc.
All employees must be trained and educated in creating effective passwords, using the network safely, and in dealing with personally identifiable information. “It is also important that all systems and devices in a company’s infrastructure be kept up to date with security patches and advisories, however, this alone is not enough. Businesses must be proactive with emerging technologies as threats evolve. Target’s use of 3DES encryption, for example, played a key role in allowing attackers to bypass their encryption through a series of brute force attacks in 2014,” continues Kevin.
“Beyond the technology, infrastructure architects must also plan their implementations with security in mind. Home Depot found itself in an unfortunate situation in 2014 when attackers leveraged a compromised third-party vendor account to ultimately install malware on the retailer’s self-checkout machines. Access to mission-critical systems should only be given to those who need it, and only to the level necessary for their specific role; this is especially true when third-parties are granted access to internal systems.”
“Employees and vendors with access to sensitive data must be educated on the dangers of “social engineering.” Humans with access to critical systems remain the weakest link in the chain and represent an easy entry point for attackers, regardless of the security state of the systems.”
– Kevin Glendenning, President of Starnix Inc.
Replace Legacy Software and Hardware
Instead of allocating thousands or millions of dollars towards legacy systems, retailers need to consider investing in new technology with built-in security protocols and authentication systems. “Retailers with legacy software and hardware should ideally replace them. However, for legacy systems this is usually easier said than done. It is not uncommon for a company to rely on a piece of proprietary software that was written years ago (possibly even a decade or more). It was developed to meet a certain need at the time, and the developers have since moved on,” said Kevin.
“One consistent gap is that most infrastructure is inconsistent. Maintaining systems over time usually results in different vendors and different versions of hardware and software, which introduces complexity, varied capabilities, and inconsistent behaviors resulting in additional risks,”
– James Zerfas, Vice President of Security and Risk Products at Vantiv.
“If replacing your legacy software or hardware with a modern solution is not feasible today, then you must take every step available to protect that device. Understand and acknowledge that it is extremely vulnerable to attack, and adjust your infrastructure accordingly to limit access to the device as much as possible,” continues Kevin Glendenning.
Retailers should also consider implementing analytics-based security tools that can identify anomalous behavior in real-time and report this information to designated users for further investigation.
At the Store Level…
All network points must also be secured including POS terminals, e-commerce websites, third-party vendor links, and any mobile handheld devices used by retail employees.
“Look for ways to remove data from your systems and if needed (for operational reasons), look for solutions like Point-to-Point Encryption and Tokenization that leverages the use of non-sensitive, surrogate values for these tasks,” said James Zerfas.
“Point-to-Point-Encryption at the POS is the process of encrypting card data at the point entry, specifically a credit/debit pin pad is injected with an encryption key which the pin pad uses to encrypt the captured card data immediately. The PIN pad then sends that transaction information to the processor with the encrypted data and the processor will then decrypt the card data at the other end,” explains Naftali Nathan, Head of POS at Magstar.
“Using a P2PE solution ensures that card data cannot be accessed from the retail location’s network, there is no card data being sent just random numbers. It also reduces PCI exposure; your entire network is no longer in scope for PCI, as well as reduces the amount of PCI paperwork required to be filled out every year. P2PE removes the threat of exposure from the Retail Operations.”
– Naftali Nathan, Head of POS at Magstar
James Zerfas ties it all together: “A great posture for any business is that getting breached is a matter of time, but make sure that what the criminals get access to can’t be used to commit fraud.”
Proactive Approach to Security
Retailers are easy prey for hackers. There is no need to rob a store when it’s easy for an opportunist to get into a system, get what they want, and get out without being caught. One of the first steps of dealing with retail security challenges is acknowledging their destructive potential and recognizing that no business is truly safe. Incorporating a data security strategy into existing business plans should be a top priority for retailers of all sizes.
Protect your data, protect your customer, and protect your business.
To download the full summary report of the research findings, please click here.
- Evaluating Retail Solutions: 3 Warning Signs It's Not a Good FitThis article looks at three warning signs that your [...]
- Magstar Inc. Becomes Part of the Constellation FamilyIn 2012, Magstar became part of the Constellation Software [...]
- 3 Biggest Mistakes Retailers Make with Mobile ERP SecurityCommon mistakes retailers make when it comes to mobile [...]