Merchant Link SecurityCents

The cost of a data breach for retailers and merchants is rising every day, both in terms of dollars and brand reputation, taking into account costs for internal investigation, notification/crisis management and response. And soon, there may be another cost being levied on merchants from a different source: the government.

According to a recent article in the Financial Times, the European Union is considering a stiff fine for retailers if they fail to secure sensitive customer data. The size of the fine amounts to more than just a simple slap on the wrist. In fact, retailers breaching European Union privacy rules could be on the hook to pay a fine up to 5 percent of their annual revenue.

Although these rules are still in their infancy and, if passed, wouldn’t go into effect for as long as two years, they should still be a frightening proposition for all retailers. And it’s not just European retailers that should be concerned since the rules are expected to also apply to European subsidiaries of foreign companies.  It could also be an indicator of what may happen in the U.S.

If you think the rules may go without being enforced, you should think again. StorefrontBacktalk’s Evan Schuman wrote about this issue in a recent column, and speculated that the EU is likely to strictly enforce this legislation since they’re starved for cash and these fines could be a good way to raise money. Also, unlike credit card companies and other stakeholders that threaten to punish retailers, the government doesn’t necessarily have anything to lose from fining a retailer.

For example, Visa would probably think twice about punishing or terminating its relationship with Wal-Mart simply because the retail giant wasn’t on the cutting edge of data security. The loss of revenue from credit card transaction fees would simply be too great.

Although these rules could be years in the making, or never even see the light of day, they’re evidence that governments are starting to crack down on companies that aren’t making data security a priority. With 2011 being a banner year for cyber attacks and data theft, and the potential for the cost of a breach to continue to increase, the time is now for retailers to take a more serious look at their security posture.

With tokenization and encryption solutions available to retailers via the cloud, there is no reason why any company should not be PCI compliant and protected from data breaches. The costs are too high, both to the company’s coffers and its reputation.

Don’t let your company wait until it has to part with 5 percent of its annual revenue before you start to reevaluate how you store and protect payment card data.

By Michael Ryan

A little over one year ago, I authored a blog post in response to a new trend that was impacting retailers: skimming of credit card information in-flight directly from payment terminals in retail locations. It was around this time last year that Aldi, a discount grocer which operates 1,100 stores in 31 states, announced that terminals in 11 stores had been tampered with and were funneling credit card and PIN data to cyber criminals.

Despite the situation at Aldi, raising awareness of this problem, it’s still an issue for retailers one year later.

According to a recent article, Save Mart, a chain of grocery stores based out of Modesto, Ca., issued a consumer advisory warning customers that 20 of its locations were found to have card readers that were compromised. It wasn’t clear whether the devices were replaced or simply tampered with. Regardless, there was the potential for sensitive customer information to be stolen.

In today’s retail environment, where getting customers in and out of the store quickly with their purchases is paramount, many retail chains have installed self-checkout counters. It was the credit readers at the self-checkout counters that Save Mart had compromised, which raises red flags for other retailers utilizing similar technology.

With data thieves getting increasing bold and physically altering credit card readers, it’s becoming increasing important that retailers remain vigilant and alert. This is especially true right now during the busy holiday shopping season.

As we discussed in a recent post, retailers that have even suspected that data thieves have compromised sensitive financial information about customers have seen a significant impact on their wallets. From public relations campaigns to clear up negative press, to credit monitoring services for customers, companies are seeing the price tag of a data breach continue to increase.

Despite high profile breaches like the ones at Aldi and Michaels, POS systems and card readers at retail locations remain a significant security vulnerability for retail chains. With the cost of a breach skyrocketing and the sheer masses of holiday shoppers flooding retail outlets, now is the time to ensure that businesses do everything they can to protect themselves and their customers.

By Michael Ryan

While many of us were sitting on the couch, fighting our food-induced comas during the Thanksgiving holiday, merchants were scrambling to prepare for an onslaught of customers that were eager to take advantage of Black Friday deals.

Black Friday, which seems to start earlier and earlier each year, not only marks the busiest time of the year for merchants, but also predicts shopping trends, consumer confidence and the state of the economy for the coming year.

And this year’s Black Friday was in no way a disappointment. Shoppers showed up in droves and spent a record amount of money over the weekend. Black Friday spending this year was up 16% from the $45 billion consumers spent last year, according to a recently released survey by the National Retail Federation.

And that sales momentum continued into Cyber Monday, as many shoppers took to retailer’s sites looking for the best deals. Eight in ten retailers were prepared, offering special promotions to please these online shoppers.

Even more interesting is the number of shoppers that relied on their smartphones and other mobile devices to shop online. Compared to last year, the number of mobile users shopping online doubled.

And we don’t doubt that all these numbers are real. We saw it in our own operations. For example, our retail transaction volume for one of our large retail chain clients was a whopping 44% higher on Black Friday this year as compared to last year, and 38% higher on Cyber Monday.

In light of the retailers’ success, both in stores and online, it is importance to stress that consumer confidence drives continued sales and brand trust. During the busiest shopping season of the year, retailers cannot afford to suffer from a data breach and leaked consumer credit card information.

Now, more than ever, retailers must be diligent, which is why we’ve developed these three simple tips for merchant to keep in mind:

• Know the network. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
• If it is not needed, remove it. Many retailers keep cardholder data on the system even when it is not necessary.  Nothing is more exciting to potential attackers than hitting the jackpot of payment information.
• It’s not just technology, its people and processes. Merchants must educate and train staff to understand network security issues.  Yes, the IT department must be aware, but it is just as important for cashiers to understand the risks and be trained to spot suspicious activity.

Retailers have a lot on their plate as they strive to hit their numbers during this holiday shopping season, but security shouldn’t be a leftover thought. The cost of a breach can not only cost retailers millions of dollars, but will hurt consumers’ confidence and trust in the retailer’s brand. With such a significant impact, can the retail industry  afford not to unwrap some extra security this holiday season?

We have always highlighted how damage experienced after a data breach can have  lasting negative effects on brand equity and reputation.  A recent survey of nearly 850 executives, conducted by the Ponemon Institute, reinforced this by reporting that the average time it takes to restore an organization’s reputation after a breach is one year.

Following is a podcast with Dr. Larry Ponemon who discusses this study and what companies can do to best protect their reputations after a breach from the ITAC blog.

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

By Beth McGarrity

There is a new bill in the U.S. Senate that is aimed at protecting a citizen’s privacy and information when a security breach occurs.  In the last few weeks, the Personal Data Protection and Breach Accountability Act of 2011 was introduced, with sponsors of the bill, saying that many of the recent security breaches have been preventable.

But the National Retail Federation has another view.  David French of NRF said that the bill is far too broad and instead of achieving protection of consumer information, the bill would have a negative impact, resulting in “notice fatigue.”

Now, this is interesting, because NRF is an avid supporter of protecting notification when identity theft occurs, yet feels that standards must be met before a notification is sent out.  If consumers are receiving notices for every incident, regardless of severity, they will eventually begin to ignore the notification and potentially not take the appropriate steps when the risk level is high.

We are all for notification to consumers when there is a risk involved and agree that notification fatigue could be an issue.  But the real issue that we believe needs to be addressed is how the sensitive information is being stored on a merchant’s system.

Ultimately, this becomes a security issue and storing personal identifiable information about consumers on a network that doesn’t have the proper security controls, is a major risk.  If you are going to take the risk, you must take an aggressive approach to security and you must test and monitor your approach regularly.

An incident may still occur, but you are less likely to have to notify your customers of a security incident if you are thinking about security as an integrated process within your business.

By Beth McGarrity

In the brick-and-mortar world, merchants run the risk of long-term reputational damage when they experience a credit card breach.  For online merchants, data breaches can cause even more damage — as credit and debit cards are typically the only means for doing transactions.  Clearly, protecting one’s online brand is of utmost importance.

According to a recent report by Visa’s CyberSource unit and Trustwave, nearly 70 percent of online merchants said they have tightened credit card data security in order to protect their brands.  This was a larger motivator than the desire to avoid fines for non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).

In addition, the report also highlights how online merchants are also concerned about insider threats.   Not a huge surprise.  In fact, our readers may recall our post about nefarious employees stealing customer data via USB drives.  Although this post was more for brick-and-mortar merchants, the reality is that bad employees lurk in both the offline and online worlds.

So what are online merchants doing to actually tighten their credit card security?

They are moving credit card data from their networks to third-party vendors as a way of reducing security risks, data storage and compliance costs, according to the study.

So it seems that online merchants are taking a page from what is happening in the brick-and-mortar world:  they are completely removing the data from their systems.  And as in traditional environments, tokenization and encryption are two viable solutions to remove the data.

No matter where products are sold – at a retail outlet or on a website – protecting one’s brand is paramount.

By Beth McGarrity

These days, you don’t have to leave your credit or debit card at the bar to get your information stolen.

Last week, The Briar Group, a company that runs a number of Boston bars, agreed to pay a settlement of $110,000 after the State Attorney General alleged that it failed to protect customer financial information.

The State Attorney General alleged that The Briar Group continued to accept card transactions even though it knew that its security system had been breached, which would have allowed hackers to steal customer information. Although The Briar Group doesn’t agree with all of the allegations, they are asserting that customers should use their cards with confidence and they have vowed to improve their security system.

This event stresses the importance of merchants protecting their security systems and customers. Unfortunately The Briar Group is not an isolated situation; these types of security breaches happen all the time.

In order to protect their customers, merchants must first be aware that security hackers are a serious threat. With this in mind, merchants should evaluate the benefits of incorporating tokenization or encryption solutions into their security strategy to reduce the risk of identity theft.

Protecting customer financial information is of vital importance.  Besides the burden of having to pay a hefty fine like The Briar Group just did, lacking the right transaction security solutions can also do major damage to your reputation.   Let’s put it this way – we weren’t the only ones covering this story!

by Beth McGarrity

Last month Verizon Business released its latest Data Breach Investigation Report.  The industry with the largest number of breaches was the financial sector, followed closely by hospitality, and then retail also comfortably in the top 10.  The vulnerability of the retail and hospitality sectors should come as no surprise given the sheer number of transactions processed and the vast amount of data stored by these merchants.

Based on an analysis of 257 incidents, the Verizon team discovered that 48 percent of breaches were as a result of privilege misuse, 70 percent of breaches were initiated by external sources and insider attacks increased 26 percent.  What is surprising is that overall, 85 percent of attacks required relatively little sophistication and skill and could have been avoided without difficult or expensive controls.

So what can merchants do to protect their data?

• Become PCI Compliant – according to the report, 79 percent of companies were not PCI compliant in the period leading up to the data breach.  While the 12 requirements may not keep an attack from happening, they do provide a set of best practices which make it more difficult for an attacker to compromise records.

• Protect Your POS and Database Servers First – these two areas were noted as being some of the most vulnerable assets companies have.

• Don’t Retain Data on Your Systems – the researchers at Verizon have recommended for several years now that companies not store data on their own systems.  After all, if no records are kept, then cyber criminals will have nothing to steal. The PCI Council recommends tokenization and encryption as two ways of maintaining transaction integrity without violating the cardholder data storage and handling requirements.

What steps has your company taken to secure its data and infrastructure from attack?