Holiday shopping season is upon us and is the busiest season of the year for hackers and shoppers alike. 2014 will be no exception and we should brace ourselves for more high profile cyber-attacks although this time, they are likely to gain much less public attention. Consumers have rightfully learned that they suffer little harm from payment card hacks.
So who does suffer?
Home Depot and Target, two big box retailers that suffered two of the largest card breaches ever, just released rosy third quarter financial results proving consumers value attractively priced merchandise more than they do payment card security. Sales were up at Target by 2.8%. Home Depot’s U.S. same-store sales rose 5.8 %, and both breaches seemed to have had negligible impact on consumers. This is a replay of what happened after the massive 2006 card data breach at TJX stores, first disclosed in January 2007. TJX reported an increase in revenue of approximately 7% for the six months ending 28 July 2007, compared with the same period in 2006.
This is a totally rational reaction for consumers, who are well protected under U.S. law and the rules of the credit card companies from unauthorized use of their credit and debit cards. They almost always get all of their stolen money back.
Moreover, I believe that there is relatively very little fraud committed using cards stolen during these massive breaches. I imagine the crooks are only able to make illicit charges against less than 5% of the stolen cards because the credit card companies are well prepared to cut off stolen card use once they become aware of which cards were compromised. This happens relatively quickly once the breach is discovered. (This isn’t the case with theft of other types of data, such as identity or tax or health records).
I estimate that the Home Depot and Target heists resulted in less than $10 million of direct fraud costs although total breach costs incurred by these companies were significantly higher. Target spent about $153 million on breach related expenses and Home Depot so far shelled out a net $34 million in 2014 for its breach. These much higher costs include the money the breached retailers have to pay for customer service, communications, lawyers, and reimbursements to card issuers for card reissuances.
Who pays the most for these breaches?
Clearly the retailers. They already pay in advance for fraud costs as part of their payment card interchange fees. U.S. retailers have also shelled out some $6 billion to secure their payment acceptance systems (sometimes not so successfully) in accordance with PCI (Payment Card Industry) rules they are bound by. They also pay hefty fines and fees if and when they are breached. Although consumer sales do not suffer – the costs of data breaches are still much higher than the costs of securing data in the first place.
What measures should retailers take?
Gartner recommends retailers use strategic data protection technologies which are garnering tremendous interest among our retailer clients, including;
a) point to point encryption (p2pe) which encrypts card data from the time it is presented until it gets decrypted by a merchant acquiring processor or some other central service designated by the retailer. Not all p2pe solutions and implementations are created equal and it’s not a slam dunk security win unless it’s implemented properly.
b) Tokenization of card data so that it is represented by surrogate values that are useless to thieves. Again tokenization is not a panacea and must be implemented properly – and as soon as card data is presented, so as to avoid holes in the security program. (One of the retailers recently breached had in fact implemented tokenization but the breach happened before the data was tokenized). Also merchants need to be aware that merchant based tokenization schemes collide with Visa and MasterCard tokenization schemes as implemented first by Apple Pay. (http://blogs.gartner.com/avivah-litan/2014/11/07/token-collision-and-poi... ) Merchants therefore need to make sure their token service providers can retrieve a credit card number from an Apple Pay Token so that the merchant can then use their own tokenization system to tokenize the card number. Otherwise merchants can end up with multiple token numbers for one card.
Until and unless these strategic data protection measures can be taken, Gartner also recommends retailers focus on key tactical measures including
a) Prevent malware and hackers from entering enterprise networks in the first place
For example, keep POS systems single-purpose, and segment the card holder data environment from the rest of the network.
b) Prevent malware installation and operation, assuming the malware manages to get inside the network
Such steps include restricting outbound connections from POS and back office systems, keeping auto-login passwords unique on each POS machine, and using whitelisting techniques on POS endpoints.
c) Rapid detection of active malware, assuming preventative steps fail.
For example, monitor network logs, especially from file integrity monitoring systems, implement processes for physical and logical detection of USB drives often used to introduce malware and exfiltrate data, and sample store system memory for signs of malware.
We outline a more complete list of the measures involved in these three tactical steps in our research note “How to Avoid Becoming the Next Target Retail Breach Victim”. But these tasks can be overwhelming in number and ongoing hyper-vigilance is required to ensure the security controls are maintained. In many cases, this will be too much for most retailers to take on.
To breathe more easily, we recommend moving towards point to point encryption and tokenization technologies, while recognizing those measures are no panacea either and most assuredly will be compromised if improperly implemented. We are already hearing reports about poor implementations in the field.
But focusing on a couple strategic technologies is most assuredly much easier and more effective then juggling dozens of point solutions whose plethora of alerts is bound to blind even the sharpest shooters amongst us.
The other alternative? Use cash.