Life After the Target Breach: Where Does Payment Card Data Go from Here?
The well-publicized data breaches that hit retailers Target, Michael’s and Neiman Marcus have raised lots of questions about the security of payment card data. Some experts say the technology already exists for merchandisers and payment processing companies to keep this data safe — it’s merely a matter of whether they will use it effectively.
Clearly, the industry must take action in the aftermath of the recent security breaches.
“Retail companies individually, and the industry collectively, [need to] make substantial investments in the technology, and experts need to aggressively counter these threats,” says Brian Dodge, senior vice president of communications and state affairs at the Retail Industry Leaders Association (RILA), a trade organization that represents retailers, product manufacturers and service suppliers.
“However, the payment system is an ecosystem that relies on interoperable cooperation across sectors,” Dodge says. “For years, U.S. retailers have urged card issuers and card networks to provide U.S. cardholders with the same enhanced fraud prevention technology used throughout the rest of the world. Merchants can’t wait any longer for these changes.”
A Call to Action
In late January, RILA called for collaboration across the debit and credit card ecosystem to require personal identification numbers (PINs) on all retail transactions, the retirement of antiquated magnetic stripe systems and a migration to “chip and PIN” technology. Chip and PIN is the brand name adopted by the banking industry in the United Kingdom and Ireland for the rollout of the EMV (Europay, MasterCard and Visa) smart-card payment system for credit, debit and ATM cards.
The technology has been in place available for years, Dodge says, “yet in the U.S., the card networks and issuing banks still rely on antiquated magnetic stripe technology,” he says. “The ease with which criminals can use stolen data to create counterfeit cards is unsettling, to say the least. If the card networks and banks don’t adopt better security features, the frequency of fraud will only increase.”
RILA says it will expand its commitment to cybersecurity and data privacy by launching a comprehensive initiative to address evolving cyberthreats and promote additional safeguards for personal data in the payment ecosystem.
Retailers Renew Commitment to Data Protection
The RILA Cybersecurity and Data Privacy Initiative seeks to bring together public- and private-sector stakeholders to improve existing cybersecurity and privacy efforts, inform the public dialogue and build and maintain consumer trust.
By working together with public–private sector stakeholders, the industry’s ability to develop innovative solutions and anticipate threats will grow, enhancing the collective security and giving customers peace of mind, says Sandy Kennedy, RILA president.
The RILA initiative is organized around three major components. One is to strengthen overall cybersecurity through the formation of a Retail Cybersecurity Leaders Council, to be made up of senior retail executives responsible for cybersecurity; and to engage with lawmakers to develop federal data-security-breach notification legislation that sets a national baseline.
Another component is to improve payments security through the elimination of the existing magnetic-stripe technology used on credit and debit cards, replacing it with Chip and PIN. RILA says it will continue to press the card networks and issuing banks to migrate to universal PIN security and chip-based smart-card technology.
RILA aims to forge deeper partnerships with other members of the payments ecosystem to collaborate on migration to near-term card-security enhancements, new technologies and long-term, comprehensive solutions to the threats.
The third component is to address consumer privacy. RILA will work with partners to describe how data is used to provide the experience that consumers demand, and it will “share the great lengths that retailers go to, to protect the data they collect.”
While retailers place an “extremely high priority on data security and invest tremendous resources to prevent attacks, cybercriminals are persistent, and their methods of attack are increasingly sophisticated,” Dodge says.
Some actions will have immediate effects, and others will take time, Dodge says. “But through the collaboration laid out in RILA’s cybersecurity initiative, the industry’s ability to develop innovative solutions and anticipate threats will grow.”
What Can Retailers Do Now?
One near-term solution retailers can try is to require PINs on every card transaction and to move quickly to Chip and PIN, Dodge says. “However, long term we must accept that all the players in the payments ecosystem have an obligation to innovate to stay ahead of very sophisticated criminals,” he says. “That is why we have called on the banks and the card networks to come together with merchants to identify long-term solutions.”
One very effective way to bolster the security of payment card data is to use encryption extensively, says John Kindervag, vice president and principal analyst at Forrester Research, Inc.
Retailers who depend on payment cards to fuel their businesses need to encrypt data “from the moment a card is swiped, all the way through the process, including the back end,” Kindervag says. “It appears that the Target breach was a result of [improper] encryption.”
PCI DSS and the Cost of Data Breaches
The Payment Card Industry (PCI) Data Security Standard (DSS) calls for merchants to use encryption to protect stored cardholder data, but the intent of the standard isn’t always fully appreciated.
“Some retailers spend a lot of effort trying to go around the intent [of the standard] to find cheaper ways of doing things,” Kindervag says.
Technologies such as data encryption and tokenization — another means of protecting sensitive cardholder data — if used properly, would thwart the kinds of attacks recently experienced by retailers.
“Forward-thinking [merchants and payment processing companies] are already doing this,” Kindervag says. He predicted several years ago that use of these technologies for payment card data would become common. “But some companies have refused to implement [these technologies] because of the cost, or because they’re afraid something could go wrong.”
As it turns out for the retailers hit with data breaches, the cost of not doing something has ended up being much greater.
“These technologies exist, but companies have to make the choice to use them in their systems,” Kindervag says. He hopes the breaches against the retailers serve as a wake-up call to all companies that rely on payment card data to do business.
“We had a rash of breaches several years ago, where a number of retailers were attacked, and that caused a lot of people to start implementing better security controls, especially tokenization,” Kindervag says.
But threats are constantly evolving, and companies need to keep their security posture up to date. “For many, the risk-mitigation strategy is merely 'hope', as in, ‘I hope that doesn’t happen to me,’” Kindervag says. “Others say it will never happen to them.”