Security Breaches Trigger Retail’s Big Players to Call for Major Tech Changes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.wsj.com/cio/2014/09/05/security-breaches-trigger-retails-big-players-to-call-for-major-tech-changes/

The possible credit card breach at Home Depot Inc. prompted the retailer to
speed up its implementation of chip-reading credit card terminals. Major
credit card companies, too, have announced they will accelerate efforts to
bolster electronic payments security and protect sensitive customer data.
These moves could have a large impact on consumer confidence, which has
suffered as a spate of cyberattacks hit major companies. But for retailers
especially, the implementation of the new systems will take time, and are
not a panacea for a company’s security risks.

Home Depot CEO Frank Blake told investors Thursday that the retailer would
activate chip-reading technology on its new credit-card terminals by the
end of this year. He said the company is “working around the clock” to find
a breach linked to stolen credit and debit cards,” the WSJ’s Shelly Banjo
writes, but stopped short of confirming an actual breach occurred.
Following its own massive cyberattack, Target Corp., too, is speeding up
the implementation of smart card technology, with plans to equip its
proprietary REDcards and all of its card readers with chip-enabled
technology by the first quarter of next year.

Separately, credit card companies are also ramping up security efforts.
Visa Inc. and MasterCard Inc. said they are rolling out “tokenization”
technology that replaces sensitive cardholder information with a unique
series of numbers used to identify customers. That move stands to cut
significantly the amount of valuable information available to a hacker,
writes the WSJ’s Robin Sidel.

As big players move to speed support for chip-enabled card technology, some
peers could be pressured to do the same. The widely cited deadline for
implementation of the EMV standard—short for Europay, MasterCard and Visa–
is October 2015, at which point liability for fraud will shift to whichever
party has the lesser technology. That means a merchant with traditional
magnetic stripe card readers could be held liable if a customer is using a
chip-enabled card.

“Home Depot is making a very prudent move,” said Andras Cser, an analyst
with Forrester Research Inc. Still, companies typically roll out EMV
“either if they have been burnt by a breach or if they have had an audit
finding” that indicates they are no longer PCI compliant, he said. “It’s
only very rarely that retailers do this out of precaution.”

As CIO Journal has noted, some retailers haven’t been able to justify
making the switch to new card readers because the return on investment
isn’t clear. In some cases, the cost of replacing existing systems is
greater than the liability for fraud. On the issuers’ side, there is also
the matter of getting chip-enabled cards into the hands of customers.
Americans carry fewer than 50 million chip cards, the WSJ noted last month.

But those who haven’t gotten a jump start on the transition may already be
falling behind. The process of updating and certifying back-end systems to
accept the new cards, as well as the time it takes for issuers to get
chip-enabled cards to customers, could take a year or more. In March, Lee
Jurgens, chairman of the board for payments trade group Merchant Advisory
Group, said “it’s going to be an unbelievable race for merchants to get
this done by October 2015.” Many countries already use EMV technology, but
adoption is slower in the United States.

“The number and frequency of the breaches and the fact that big guys are
going to push this out will accelerate the overall market,” says Stuart
Taylor, VP of payment solutions at Equinox Payments, which sells payments
systems. The breaches may also be leading potential customers to shore up
more funds for EMV rollout than they previously would have.

Rolling out EMV technology in brick-and-mortar stores is a step in the
right direction, but it won’t solve the entire security problem. While it
can significantly reduce fraud, it doesn’t yet take into account online
transactions, and may not help companies identify larger threats to their
point-of-sale systems. “If the security budget they need to spend to
prevent someone overtaking POS is spent on chip and PIN, we still have a
problem,” said Peter Firstbrook, an analyst at Gartner Inc.

Still, a proactive move to adopt more secure technology can help to rebuild
consumer trust in a brand that’s been hit by a potential breach. “I’m not
sure we understand completely the dollar value of the fraud, but the
consumer confidence and brand damage are big,” Mr. Taylor said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!