It seems like every week stories of major retailers falling victim to payment card and data theft incidents appear on the front pages of newspapers. The latest big-box retailer to join the list is Home Depot, which is currently investigating for “unusual activity.”
Although Home Depot is not releasing specifics about the attack, the retail chain did say the breach resembled the one suffered by Target during the holiday season of 2014. During the breach, customers’ credit and debit card information may have been stolen by criminals. The initial report suggests the thieves hijacked in-store point-of-sale systems.
“At this point, I can confirm looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” explained Home Depot representative Paula Drake in a response sent to the media. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately.”
The latest of many
With data and payment card information theft have become seemingly commonplace in the retail sector, it would be easy to think merchants would shore up security at the point of sale to prevent similar attacks. Indeed, that is what many retailers think, which is why they take steps such as securing POS networks in-store or improving the security of online payment portals.
However, as Internet Retailer explained, safeguarding this data is not as easy as it may initially seem. Target, for example, was compliant with the Payment Card Industry Data Security Standards (PCI DSS), deployed third-party companies to monitor its systems for suspicious activity and took all the precautions to ensure its systems were protected. Yet fraudsters and criminals are relentless, and they still found an exploitable gap through all those safety measures.
So what are retailers and POS system developers supposed to do to keep criminals at bay? One such solution may be leveraging better encryption tools and technology that ensures less sensitive information is stored on retail servers to begin with.
“If a hacker wants to get into a retailer’s system, he will, because every company is hackable with enough effort,” security expert Todd Morris explained to Internet Retailer. “But that’s why we have to limit the amount of valuable data we have so that it isn’t worth a hacker’s effort.”
When it comes down to it, protecting this sensitive information is all about deploying all measures. Simply being compliant with security standards or purchasing a secure POS solution is not enough - retailers need to cover all of their bases, whether it is minimizing data stored on servers to purchasing surveillance services.
The price of half-hearted security attempts
Not to dwell too much on one subject, but merchants need only look at Target to view firsthand the price of these breaches. On top of fines from regulatory bodies and various lawsuits, the retailer is also left having to completely overhaul its security programs and POS systems. Additionally, the credibility of the brand took a nose dive, which led to lackluster results in the most important part of the year - the holidays. This all led to the removal of key corporate executives. As Internet Retailer noted, Target is still reeling from the effects of the 2013 breach bordering on a year later.
Everyone involved in the payments industry, from the developers of POS solutions to the retailers using these systems, needs to be cognizant of payment security moving forward.