Just weeks into the 2015 holiday shopping season, retailers industry-wide are tightening mission-critical operations to ensure their shoppers have a satisfying shopping experience. The one area that they can’t afford to overlook this holiday season, however, is secure payment processing. By implementing new security measures across payment networks, retailers are taking steps to secure sensitive customer information this holiday season — a move that promises to drive loyalty well beyond December.
It’s not surprising that 63 percent of retailers reported that secure payment processing is among their top three priorities for 2015, according to the “2015 POS/Customer Engagement Benchmarking Survey” from Boston Retail Partners. Some of the most recognized data breaches over the last 24 months have occurred in the retail industry, and these heists pilfered millions of consumer card numbers, as well as other personally identifiable information.
Often, POS systems are their entry point of choice, due to insecure, web-based network support and the volume of unencrypted data flowing between networks and units.
Taking a Stand
In effort to secure payment processing from these attacks, Europay, MasterCard and Visa worked together to establish the EMV Mandate. The standard, also called the Liability Shift mandate, requires retailers — among other industries — to adopt solutions that can process chip-enabled smart payment cards. Unlike traditional magnetic strip cards, smart cards feature an embedded microchip that authenticates the card and user before processing transactions. The mandate went into effect on October 1, 2015, meaning that companies not compliant with EMV guidelines are now responsible for any credit card fraud committed in their stores.
While EMV is a step in right direction, it isn’t a silver bullet for secure payment processing. It doesn’t protect an organization from a breach, but rather from counterfeit card usage. While the industry placed the most attention on POS systems when preparing to comply with the EMV Mandate, many retailers must consider other potential weak links, such as fuel pump POS readers.
Retailers must look at their payment security measures in broader terms, enabling them to cast a wider net of protection to safeguard operations from a data breach. Among the areas to consider are:
- Encryption. As customer privacy becomes a top concern, data encryption is moving to the top of retailer to-do lists. A process that encodes sensitive data so that only authorized users can read it via a dedicated decryption process, encryption protects customer-specific information, including payment card and Social Security numbers. End-to-end encryption use by retailers will increase by 151 percent by the end of 2016, according to the Boston Retail Partners’ report.
- Tokenization. Unofficially called the next step in encryption, tokenization replaces highly sensitive card account number data with a cryptographic identifier linked to merely random numbers — a process that eliminates account numbers from the retailer’s network, thus rendering information useless to hackers.
- Mobility. Whether it’s mobile apps or a weakness on a Wi-Fi network that devices access, hackers are seeking out vulnerable data running through these conduits. Specifically, more than 5 billion Android mobile apps, including mobile payment apps, are vulnerable to remote manipulation, according to Verizon’s “2015 Data Breach Investigation Report (DBIR).”
- Requirements for Contractors. Still riddled with thin margins, outsourcing has become a cost-effective way for retailers to manage operations. However, outsourced partners can inadvertently create an entry point for cyberattackers. For example, credentials stolen from a refrigeration, heating and air conditioning (HVAC) subcontractor could be used to access a retailer’s network and upload malware onto POS devices. Retailers should establish service-level agreements (SLAs) that define expected services, responsibilities, potential risks and challenges among outsourced partners. To ensure their value, retailers should consistently monitor and audit performance across partner projects.
Now, in the home stretch of the 2015 holiday shopping season, retailers industry-wide should be tightening payment security. By implementing new security measures across payment networks, retailers are taking steps to secure sensitive customer information — a move that promises to keep them off the “naughty list” this holiday season and beyond.
