By Erin Nealy Cox, Stroz Friedberg
Ever since the major retailer breaches last year, outsiders have been pointing fingers at the victim merchants demanding to know how something like this could happen. But cyber risk in the payment card industry is a problem greater than any one company. While there is much a retailer can do to secure its network, comprehensively mitigating this ever-present risk requires the participation and partnership of all parties that either touch retailer networks or are responsible for producing the sensitive payment information that retailers are obligated to keep safe.
I’ve been fighting cyber crime for many years, and I know from experience that hackers are highly motivated opportunists. They will run toward the biggest prize through the easiest door every time, and if they look hard enough, there is often a door they can pry open. Over the years, as technology has evolved, so have the hackers. A few years ago, attackers were “sniffing” credit card traffic from retailer networks. To quash this ability, retailers encrypted their internal payment card networks through which card data flows. So then hackers shifted their attack to point-of-sale machines stealing card information from memory. Moreover, as hackers have proven time and again, if a retailer is hard to exploit, the hacker will simply go through the weaker networks of their third-party vendors.
However, the war against payment card cybercrime can’t be won by isolated battles in retailer IT departments, and there is no single weapon that will end it. Rather, success requires retail industry leaders to work with multiple parties to holistically bolster their protections. The most important of these groups are the financial services industry, other retail companies, their third-party vendors, and every single one of their employees. Retailers must galvanize these disparate groups to fight together toward this cause.
A clear priority for retailers should be encouraging the financial industry to require the use of PIN numbers instead of signatures to support the technology that retailers are required to install by the October 2015 deadline set by MasterCard and Visa. The practical downside is that chip cards that require only signatures solely strengthen the security of in-store transactions. Online retail sales, positioned to bring in nearly $300 billion in 2014 according to Forrester Research, would still sit unsecured. The use of PIN numbers that apply to both in-store and online transactions would protect both arenas of commerce.
It’s important to note that this step-up in security isn’t only up to the retailers. Even if every retailer installed chip-and-pin systems and e-commerce operations put in place secure payment portals, the investment would be useless if banks did not require the use of PINs and were willing to forego the higher interchange fee. The new partnership formed by major finance and retail associations announced in February could be a valuable opportunity for the sectors to work together toward this objective. But even if they get there, a ubiquitous chip-and-PIN card system is not a panacea. As noted, hackers are a nimble enemy.
Another important aspect of fighting this adversary will be the willingness of retailers to share information, even with their biggest competitors. Rapidly sharing intelligence across the industry about malware, malicious IP addresses, and new methods of attack is critical. These announcements are not the same as broadcasting that you’ve been breached, but rather alerting other retailers of identified threats to make sure they are looking out for them as well. There is an existing system and precedent for this type of sharing — Information Sharing and Analysis Centers, known as ISACs. ISACs are entities established by sector companies that provide reliable and accurate information and analysis to the sector, and at times, other sectors and the government. The industry is already considering forming one. Common hacker targets like the electricity industry, the financial services sector, and healthcare infrastructure have their own ISACs. It’s time for retailers to have one, too.
Retailers also need to focus on their own expansive network of third-party vendors and their own employees to secure against unwanted intrusions. A retailer’s defense is only as strong as its weakest link. Retailers must vet and manage their outside partners to make sure they keep their security credentials and network secure. Employees of all kinds must be trained to recognize spearphishing emails, and policies should be implemented prohibiting them from downloading new software on to their workstations, as it can be hard to differentiate between safe and unsafe applications.
Partnerships with outside security consultants can also be valuable. External experts can audit existing security processes; identify exposure points in the digital network and physical footprint that may have been overlooked; and at the least, challenge and broaden the internal team’s perspective on cybercrime defense.
Retailers — a constant target of financially motivated hackers — must work tirelessly to mitigate the risk of data breaches, not only to protect themselves from massive fines, law suits, congressional inquiries, and a firestorm of blame, but to help protect the payment card industry as a whole. In the best circumstance, a retailer’s security system would incorporate reputable technologies, diligent and well-trained employees, and security-focused partnerships with financial services firms, third-party vendors, and other retailers and cyber security investigative firms, when necessary. Unfortunately, merchants, positioned to take the fall may need to be the ones to courageously stand up first and lead the change that’s beneficial to all. A lot to ask of a victim, don’t you think?
Erin Nealy Cox, executive managing director, Stroz Friedberg, a global investigations, intelligence and risk management firm. She can be reached at firstname.lastname@example.org.