By Avivah Litan
The 2014 holiday season is upon us and while retailers count their forecasts for a bright shopping outlook, they’ll also brace for more high profile cyberattacks. Yet this year’s hacks may garner less public attention. We’re all getting a little used to them, aren’t we? And some consumers have learned that they suffer little harm from payment card hacks.
Who Suffers Cyberattacks?
Given strong third quarter financial results by some retailers who were hit hard last year, it appears consumers tend to value attractively priced merchandise more than they do payment card security. This is a totally rational reaction for some consumers, who are well protected from unauthorized use of their credit and debit cards under U.S. law and the rules of the credit card companies. They almost always get all of their stolen money back.
Moreover, I believe that there is relatively little fraud committed using cards stolen during these massive breaches. In my estimation, the crooks are able to make illicit charges against less than 5% of the stolen cards because the credit card companies are well prepared to cut off stolen card use once they become aware of which cards were compromised. Unlike theft of other types of data such as identity, tax and health records, this happens relatively quickly once the breach is discovered.
Who pays the most for these breaches?
Clearly the retailers. They already pay in advance for fraud costs as part of their payment card interchange fees. U.S. retailers have also shelled out some $6 billion to secure their payment acceptance systems (sometimes not so successfully) in accordance with Payment Card Industry (PCI) rules. They also pay hefty fines and fees if and when they are breached. Although consumer sales do not suffer — the costs of data breaches are still much higher than the costs of securing data in the first place.
What measures should retailers take?
Gartner recommends retailers use strategic data protection technologies including:
- Point-to-point-encryption (P2PE) which encrypts card data from the time it is presented until it gets decrypted by a merchant acquiring processor or some other central service designated by the retailer. Not all P2PE solutions and implementations are created equal and it’s not a slam dunk security win unless it’s implemented properly.
- Tokenization of card data so that it is represented by surrogate values that are useless to thieves. Again tokenization is not a panacea and must be implemented properly — and as soon as card data is presented, so as to avoid holes in the security program. Also merchants need to be aware that merchant-based tokenization schemes collide with Visa and MasterCard tokenization schemes as implemented first by Apple Pay. They must make sure their token service providers can retrieve a credit card number from an Apple Pay token so that the merchant can then use their own tokenization system to tokenize the card number.
Until and unless these strategic data protection measures can be taken, Gartner also recommends retailers focus on key tactical measures including:
- Prevent malware and hackers from entering enterprise networks in the first place. For example, keep point-of-sale (POS) systems single-purpose, and segment the cardholder data environment from the rest of the network.
- Prevent malware installation and operation, assuming the malware manages to get inside the network. Such steps include restricting outbound connections from POS and back-office systems, keeping auto-login passwords unique on each POS machine, and using whitelisting techniques on POS endpoints.
- Rapid detection of active malware, assuming preventative steps fail. For example, monitor network logs, especially from file integrity monitoring systems, implement processes for physical and logical detection of USB drives often used to introduce malware and exfiltrate data, and sample store system memory for signs of malware.
To breathe more easily, retailers should move toward point-to-point encryption and tokenization technologies and recognize those measures will be compromised if improperly implemented. But it’s wiser to focus on a couple strategic technologies than to juggle dozens of point solutions. The plethora of alerts will be too overwhelming to know how to prioritize.
Avivah Litan is a vice president and distinguished analyst at Gartner. She covers financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications.