This blog originally appeared in ETA’s Transaction Trends
To be secure, retail technologies require an anticipatory approach and constant oversight
As an acquirer, you have an inherent obligation to ensure your merchants know the facts when it comes to securing retail technologies in order to protect not only your organization, but also your merchants’ and their customers’ sensitive data such as payment card, bank account, and social security numbers. Acquirers are in a unique position to drive the conversation with their merchant community about securing retail technologies. If an acquirer isn’t comfortable with how one of its merchants is handling payment card data, it has the all-powerful ability to shut off acceptance capability—which likely would put the merchant out of business. It is an influential position to be in, and with great power comes great responsibility to help educate and guide the merchant community.
According to a recent report from the Identity Theft Resource Center (ITRC), the number of U.S. identified breaches recorded, as of mid-October 2016, has reached 783 with a total of nearly 30 million records exposed. That’s nearly a 20 percent year-to-date increase over last year’s numbers, which was 656 recorded breaches. The types of data reported to be compromised include social security numbers, credit/debit card numbers, email/password/username credentials, and protected health information (PHI). Considering previous years’ breach totals (781 in 2015 and 783 in 2014), the threat isn’t going away any time soon. In fact, without proper planning and oversight, retailers should expect to experience a cyber attack in the future.
As October—National Cyber Security Awareness Month—draws to a close, there is no time like the present to start a meaningful conversation with your retail clients about how they can prevent becoming the next cyber attack victim to make the news.
Today’s retail environments continue to rapidly evolve. Introducing new, and managing existing, technology components on-site, online, via mobile handsets, or outsourced to third parties poses unique challenges for merchants. A solid prevention strategy goes beyond simply protecting the cardholder’s payment data to also include hardening the retailer’s entire network and technology defenses to safeguard both business and consumer.
With so many frameworks, standards, methodologies, and compliance regimes out there, it’s easy for retailers to get overwhelmed and lost in requirements and directives. Mistakes happen when misunderstandings, assumptions, and lack of coordination, awareness, and oversight prevail. The retail community needs a common and understandable approach to protecting the technology underpinning both small and large retailers. For acquirers, this includes, but is not limited to, a discussion with retail clients on the following:
- Fully understanding the technology components and networking dependencies used in retailing channels.
- Securing retail technology environments based on industry best practices and expert guidance.
- Seeking out qualified resources, if retailers do not have the technical resources to securely install and effectively manage their technology components.
- Properly vetting and managing any third party handling customer and staff data.
- Ensuring both customers and staff are trained and aware of what they can do to protect sensitive information. For example, staff are educated and always on the lookout for potential tampering of devices used to capture consumer payment data. Additionally, customers are prompted to change their passwords often to protect interactions with mobile and online retailing channels and to upgrade mobile application versions once they become available with the latest security features enabled.
- Being aware of security or compliance programs and the responsibilities associated with handling sensitive data such as social security numbers, user credentials, or payment card data. Retailers also need to be advised of the ramifications of non-compliance.
- Implementing EMV, point-to-point, or end-to-end encryption and/or tokenization solutions to minimize the potential for criminals to obtain payment card data from retailing channels. Retailers must secure data immediately at the point of payment capture to render the data useless to hackers.
- If the retailer offers a mobile application for customers to use for shopping, payment, loyalty and rewards, ensuring these consumer-facing mobile solutions are developed and deployed in a safe and secure manner.
- Staying up-to-date on the latest vulnerabilities that may affect retail technology components and never using outdated operating systems or defense mechanisms. Retailers should expect to upgrade and update often to stay two steps ahead of the bad guys.
- Understanding their responsibilities, how to respond to the market should their organization become a cyber attack victim, and how to recover and regain control.
Today’s tech-savvy retailers are the ones that recognize the threat, implement secure solutions, allocate needed resources, train their staff, and utilize trusted third parties to maintain a defensive posture. These retailers, along with guidance and support from their acquirers and other industry experts, are the ones that will be in the best possible position to prevent becoming the next cyber security attack victim. Constant vigilance of technologies used across all retailing channels is hard work, but it’s manageable with the right attitude—and a trusted payments service provider to guide the way.
– Russ Palay, Senior Director of Product Management