The steady drip of retail security breaches proves that PCI compliance is not enough to keep retailers and consumers safe. PCI compliance evolved into a once-a-year occurrence rather than a true data security policy and process - a “security-by-compliance” model that merely sets the lowest bar by which retailers must go to protect customers’ data. Rather than setting the standard it has become the minimum baseline for data security.
Now that the EMV (Europay MasterCard Visa) smartcard mandate has gone into effect, as U.S. retailers adopt the standard they may be lured into yet another false sense of protection. Payment card issuers say the smart chip standard will reduce retailers’ fraud exposure while increasing security.
Yet, the U.S. implementation of EMV lacks a critical security element – the PIN code. The U.S. implementation relies on a chip-and-signature model instead, which only offers protection against counterfeit credit cards. It does nothing to safeguard against unauthorized users with stolen credit cards. Banks do not allow customers to take cash out of an ATM based on a signature alone so why ask merchants to do so? Even consumers are challenged to understand the benefits as seen in a recent NRF study where 62% of U.S. consumers say new EMV chip cards do not go far enough to protect card data or prevent fraud.
Instead, securing endpoint devices – the origin of most major breaches – rather than payment transactions, is where retailers should focus their limited cybersecurity defense budgets. Consider the infamous Target breach of 2013. The forensic post-mortem found that once hackers penetrated Target’s network, nothing prevented them from gaining access and pushing malicious software down to all the point-of-sale terminals at more than 1,800 stores, and compromising the data of an estimated 110 million consumers.
What retailers need to do for true data security is fortify their PCI compliance processes and EMV end-points with a cocktail of four key data security technologies: encryption, tokenization, intrusion detection and analytics. Hardening network defenses is now more critical because customers are more digitally engaged than ever with mobile and web engagement. And today’s in-store networks are more complex with 3rd party Store-in-Store configurations, Guest Wi-Fi (requiring open Internet access) and the emerging “Internet-of-Things” (where even the merchandise itself requires Internet access).
Implementing point-to-point encryption between the credit card terminal and payment processor is the first step to protecting cardholder data before cyber-theft tools can attack. Add to that tokenization technology, where the retailer does not even send payment information directly. Even if hackers were to breach the data stream and steal the data, the tokenization system will not give them anything valuable; just a token representing that one transaction.
Next up is network layer security. Retailers need to go beyond the basic LAN segmentation that PCI compliance requires and add strong intrusion detection tools so that they can identify attacks early and act on them. They also need to continuously scan the network for malware and viruses. In the event a device gets infected they can discover it and shut it down quickly.
Last is analytics. All the aforementioned security tools generate rich logs of data that tell a story of what has happened on the network. But that data is worthless unless retailers employ analytic tools to filter out the noise and interpret the history, turning complex log data into valuable and actionable insight.
The bottom line is U.S. retailers need a comprehensive solution to reduce card fraud and increase data security. Solutions like point-to-point encryption, tokenization, network layer security and analytics can help retailers go beyond the current minimal requirements of PCI and the shortcomings of EMV to solve vulnerabilities in payment processing to truly keep customer data safe and reduce retailer brand liability.