Retail needs tighter security measures: exec

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://businesstech.co.za/news/internet/51573/retail-needs-tighter-security-measures-exec/

A top retail trade group executive on Sunday called for tougher security
standards that could mean more spending for the industry, its banks and
business partners after a series of data breaches at major merchants.

Stores and card processing companies have reported a steady stream of
security breaches for years without a major backlash from consumers, such
as those disclosed by TJX Cos in 2007 and by Heartland Payment Systems Inc
in 2009.

But the latest thefts – including attacks on Target Corp and Neiman Marcus
– have involved a broad set of merchants and could mark a watershed moment
for security standards as calls grow for changes in the protection of
consumer information.

One sign of the change is a new enthusiasm for payment cards that store
customer information on computer chips and require users to type in
personal identification numbers.

Mallory Duncan, general counsel of the National Retail Federation that
represents Target, Wal-Mart and other big stores, said in an interview on
Sunday that the trade group encouraged its members to upgrade to the
higher-security cards even though they cost more than old systems that
store data on magnetic stripes.

The breaches are “unfortunate but we’re not entirely surprised,” Duncan
said at his organization’s annual convention now being held in New York.

“The technology that exists in cards out there is 20th-century technology
and we’ve got 21st-century hackers,” he said.

Duncan said the trade group had only made its backing for the
higher-security cards public since the Target breach. Banks have quietly
begun to offer the cards but mainly for customers to use while traveling.
Big U.S. card networks led by Visa Inc will not require the higher security
until next year at the earliest.

It is not clear the new “Chip-and-PIN” cards would have prevented the
breaches at Target and elsewhere. At the very least they make stolen data
harder to re-use, a reason the technology has caught on widely in Europe
and Asia.

They have met with much less enthusiasm in the United States, in part
because losses to fraud – just 5 cents for every $100 spent via plastic –
have been manageable for merchants and their banks. But rising fraud rates,
and the risk of identity theft, could change the calculation.

The new scrutiny began last month after Target of Minneapolis disclosed it
suffered a massive data breach during the holiday shopping season. Target
said on Friday the breach was worse than it initially thought and that
hackers stole the personal information of at least 70 million customers, in
addition to some 40 million payment card numbers.

Investigators believe that hackers used malware that captured data on
customers from the magnetic stripes on their payment cards. Since Target’s
disclosure the more upscale store chain Neiman Marcus has said it also
suffered an attack, and sources have told Reuters that at least three other
well-known U.S. retailers have been breached but not come forward.

In his first interview since it disclosed the breach, Target Chairman and
Chief Executive Gregg Steinhafel told CNBC the company moved quickly after
it confirmed it had a security issue on December 15, though it did not
disclose the problem until December 19. The time allowed Target to
eliminate the malware that had compromised its systems and to prepare its
stores and call centers for its announcement, he said.

Steinhafel did not offer many more details and noted an ongoing criminal
investigation.

“Clearly we are accountable and we are responsible – but we are going to
come out at the end of this a better company and we are going to make
significant changes,” he said, according to the article.

Duncan, the trade group official, said no other members had told the NRF
they had been breached, and a series of other executives said in interviews
since Saturday that they also were not aware of breaches at their
companies. The executives included representatives of Sears Holdings Corp,
JCPenney Co, Macy’s Inc and Gap Inc.

Still, the breach was the talk of the massive conference with 29,000
industry attendees at New York’s Jacob K. Javits Convention Center. Several
speakers cited it during their remarks at the conference and some tried to
distance their companies from vulnerabilities.

Dan Morrell, assistant treasurer of drugstore chain Walgreen Co, said the
company was “spending a lot of time and the right investment dollars” to
protect its data and its customers.

Stan Lippelman, vice president of marketing at Bass Pro Shops, a
privately-held outdoor goods seller, said: “We feel very comfortable with
where we are at. But … the fact that it happens to Target means it can
happen to anybody, right?”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.