By: PEDRO PENTON TODAY’S GROCER Publisher President, Técnica Business Systems
The payment card industry, along with its council and other related agencies, are becoming a more common household topic in the retailer’s boardrooms. We are finding that more often than what we surely can tolerate, a major retailer is hit with a breach that creates uncertainty in the confidence of the consumer. The apparent fragility of the automation infrastructure, and more specifically the electronic transaction processing sector of the industry are exposed and have been penetrated by foreign attacks from organized crime syndicates that are creating havoc in an evolving industry that not only includes retailers at all levels but also other institutions.
This January, The Electronic Transactions Association (ETA), an international trade association representing companies who offer electronic transaction processing products and services, sent a letter updating Congress on the status and the health of payment systems to address the growing threat of cybercrime and data breaches.
The letter stressed the importance of collaboration among the payments and retail industries. The letter also reiterated the payments industry’s support for a uniform, national standard for data breach notification, bringing clarity for companies that maintain data and consumers who may be harmed by criminal breaches.
The letter, addressed to congressional leaders, goes on to say, “Because some of the recent criminal breaches of retailer systems targeted payments data stored by retailers, on behalf of the Electronic Transactions Association (ETA) we are providing some important factual information regarding the safety and security of our nation’s payments systems. ETA represents more than 500 of the nation’s payments and technology companies. Payments companies are service providers to the nation’s eight million merchants that accept electronic payments (credit and debit cards) for the sale of goods and services. American consumers prefer to pay electronically when they shop, and so ETA member companies processed more than $4.5 trillion in credit and debit card payments on behalf of merchants last year. These member companies are the financial engines that power merchants.
Americans are understandably concerned about the security of their personal information following recent disclosures of data breaches at major national retailers, including: Target, Neiman Marcus, and Michaels. Because the law enforcement investigation of those merchant breaches remains active, most industry participants have been admirably restrained in assigning premature responsibility for any failures that may have facilitated these attacks. And, even while the criminals are pursued, many industry segments are working constructively to address the growing threat of cybercrime and data breaches.”
“The best and fastest way to protect the safety and security of consumer’s financial data is to allow the marketplace to innovate, rather than add to heavy existing regulations from 20 federal agencies and 50 states; and for Congress to set a uniform national standard for reporting financial data security breaches”, ETA CEO Jason Oxman stated.
The purpose of ETA is to influence, monitor and help shape the merchant acquiring industry by providing leadership through education, advocacy and the exchange of information.
ETA’s membership spans the breadth of the payments industry, from financial institutions to transaction processors to independent sales organizations (ISOs) to equipment suppliers.
Recently, Target and Neiman Marcus were victims of the “BlackPOS Malware” virus, causing a breach that left over 70 million customers with their personal and financial information exposed. IntelCrawler a cyber intelligence company, revealed that the “BlackPOS Malware or Kaptoxa, was responsible for the attack on these retailers. IntelCrawler originally named a 17- year old Russian as the key suspect in the investigation, but has since backpedaled a bit stating that it could have been created in conjunction with others, and the malware was more than likely shared.
This kind of situation brings up the question as to what kind of solution or what should solution providers do to protect their retail clients from this type of scenario. Many companies that are involved in the role of providing retail solutions to merchants are talking about the need to implement solutions that take the credit card out of scope, including perhaps tokenization. In simple terms, if the Point-of-Sales System never touches the true credit card number, then the data can’t be stolen.
Merchants need to be concerned, while the next generation of the Point-of-Sales systems are already here (and continue to evolve) payments systems are supposed to be designed to protect consumers with zero liability and fraud prevention and detection tools.
There are many views with regards to the responsibility and the capability of accepting electronic forms of payment by means of Credit, Debit, EBT (Electronic Benefit Transfers), Gift Cards, Loyalty Cards and other Private Cards. When it relates to the automation infrastructure retailers that have the privilege to accept these forms of payments must invest in security. There is no denying the truth that an inevitable increased adoption of security that includes becoming aware is going to augment the costs associated with operating your place of business – not having made the investment could however be detrimental.
Fines and Penalties are not unheard of and are possibly going to become more relevant on entities that have integrated Point-of-Sales Systems and are dealing with consumer personal and financial data – if you are unable to upgrade to electronic secure technologies, then you must consider having other forms of payments or payment systems.
Merchants play an important role in securing their points of access to payments infrastructure, and it is imperative that as a merchant you take significant steps to upgrade your existing Point of Sales Systems. No single technology can address all of the methods by which criminals attack merchant systems, and while the industry is deploying technologies, cyber-criminal organizations continue to evolve.
The migration to EMV (Europay – Mastercard and Visa), often referred to as “chip” cards or “smart” cards, is well under way in the U.S. A successful EMV migration assumes necessary upgrades by merchants and card issuers. The current timeline estimation is that EMV integration in the U.S. should be completed by October 1, 2015. There are issues that merchants still need to address for the transition to work; a number of the nation’s merchants do not currently have PIN capability at the point-of-sale. Neiman Marcus, for example, announced recently that PINs were not compromised in its own data breach because its stores do not have PIN pads. It is also important to note the significant investment required and costs borne by smaller merchants in the EMV migration, and that as a result many merchants may not want PIN implementation. The Durbin Amendment, a law supported by merchants, requires all debit cards – including those with EMV capability – to route transactions to multiple competitive debit networks, a technical capability that the current EMV standard does not support. This issue must be addressed for successful EMV implementation. With regards to the recent Target breach – EMV cards would not have prevented the breach (where consumer account information was not secured), as the criminal attack was on Target’s in-house systems, not the payment cards.
Tokenization technology will eventually replace unencrypted payments data at the merchant premises with a “token” that can be transmitted securely without risk of exposing underlying card information. Such tokens could help secure online payments, addressing a source of fraud that cannot be prevented by EMV. Tokens can also be generated using mobile devices, and further innovations in mobile payments promise new, more robust and secure forms of payment technology.
End to end encryption is another form of security that is being adopted by the payment processing industry. A recent study conducted by PriceWaterhouse Coopers on behalf of the Payment Card Industry Security Standards Council, shows that end to end encryption and tokenization are the top choices for companies seeking to employ new emerging technologies to protect payment card and other critical data. A description of end-to-end encryption also defined by VISA as data field encryption is the continuous protection of the confidentiality and integrity of transmitted data by encrypting it at the origin and then decrypting at its destination.
In today’s economy, merchants and small business owners are required to thoroughly evaluate operating costs. A secure automation infrastructure and a quality Point-of-Sales System is an area frequently overlooked. Evaluating and comparing the investment of state-of-the-art systems and integrated security solutions cannot be compromised. While becoming PCI-Compliant can seem impossible to follow for a small to mid-size business, at the very least extremely overwhelming – it is an investment that cannot be ignored.
A full page ad in the Wall Street Journal to apologize to millions of consumers is a lot more expensive than the cost of a cup of coffee a day to secure your Point-of-Sales Systems from possible “Cyber” criminals.