Hundreds of millions of credit and debit card numbers were stolen from big brand-name retailers in 2014. From The Home Depot to P.F. Chang’s, criminals and fraudsters had a smorgasbord of sensitive information, capitalizing on vulnerable point-of-sale terminals, outdated security practices and merchants who were simply too busy to pay close attention to the management of their sensitive information. Some of the top breaches, according to Payments Source, included Target (110 million stolen records), Staples (1.6 million records) and The Home Depot (56 million stolen records).
To make matters worse, many merchants feel helpless to stop these attacks. Target, for example, acquired an entirely new, cutting-edge cyber security system just prior to their POS breach. However, because there were so many false positives and other blips that weren’t serious threats, Target’s security staff did report the breach, as the retailer just simply couldn’t see it through the noise. Even if enterprises can anticipate attacks, what can be done to prevent them? While retailers must balance security with other mission-critical functions such as merchandising and customer service, tenacious fraudsters are able devote all of their time toward cracking security systems and identifying gaps to exploit.
Tokenization, EMV and other solutions to divert fraudsters’ attention
While retailers may not be able to stop fraudsters from breaching their systems, they can minimize the data stolen by using tokenization and encryption technology. These practices ensure merchants do not actually store any sensitive information locally, but instead move transaction data to financial institutions with more robust security monitoring.
According to James Gordon, chief technology officer at Needham Bank in Needham, Massachusetts, these security practices may result in attackers shifting focus. Rather than devoting all of their efforts to crack the networks of retailers and consumer-facing businesses, they will turn their attention to financial institutions that store this sensitive data. While this presents numerous dangers in itself, it also alleviates some of the pressure for enterprises and may help them protect their customers more effectively.
“How is that [hacking activity] going to stop now that we’ve got Apple Pay and EMV coming along? It’s not going to stop, it’s just going to move to the next likely target,” Gordon told the news source. “Who has the numbers the hackers want? The banks. Before, it was the banks and the retailers, retailers just happened to be an easier target. Bankers need to be especially aware that this is just a shift in focus [on hackers’ part] to banks, front and center.”
Upgrading POS solutions to avoid attacks
The onus for retailers is clear: They need to upgrade their POS to EMV-compatible standards and utilize tokenization and other encryption tools to dissuade criminals from breaching their security systems. Tokenization in particular has seen a sharp increase in interest, with mobile wallet services such as Apple Pay using the technology to safeguard user data.
It is reasonable to expect retailers to look for POS solutions that incorporate tokenization, so in that regard, POS developers should also seek to incorporate these tools and technology into their POS offering. Security has become a bullet point that all enterprises look for in their POS solutions, so for many ISVs, data security is a major selling point.