Michaels Stores' Breach Ups the Ante for Retail Data Security
By Mark Bower, Voltage Security
If retailers want to address credit card breaches head-on, then they need to join the leaders already taking their systems off the radar of advanced malware based attacks — especially any retailer that's seen repeated attacks, which illustrate that traditional IT defenses simply don't cut the mustard.
Breaches like this can be completely neutralized by using modern encryption techniques to take cardholder data out of the scope of attacks on vulnerable POS systems — including memory scrapers like those used at Target and others. By encrypting data the instant it is read by the hardened card reading device and protected end-to-end using format-preserving encryption technology, the data is neutralized from attack, but compatible with the payment flow to the protected processing host for hand-off to the card brands and issuers. If an attack takes place in the POS or upstream, the attacker gets absolutely nothing.
Several major U.S. retailers use it already, as do six of the eight biggest acquirers, even mom-and-pop stores. The technology can be readily applied even to older retail ecosystems — so retail CFOs don’t have to be concerned with major store retrofit costs.
Prior to the Michaels disclosure hitting the headlines, the National Retail Federation announced a new cybersecurity information-sharing platform for retailers and merchants in conjunction with the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Information sharing and analysis centers (ISACs) are a proven way for organizations to hear from peer organizations about emerging advanced threats to data, criminal behavior patterns, best practices to manage risk, and as a forum to learn about how new technologies, like data-centric encryption and tokenization, can mitigate them economically. FS-ISAC has set the bar high with regular industry events, advance notifications, training and education programs for the banking sector already. Extending this to retail entities makes a lot of sense and facilitates a no-nonsense vehicle to solve problems quickly across industry participants.
While advanced technology can solve big risk issues, one of the biggest gaps industry faces today is education and understanding the true cost and risk of advanced threats when they hit vulnerable entities. Hearing from leaders and experts that have experienced such attacks first hand and stepped up to modernize their data security strategy to turn the tables on the attackers can be a fast track for others to follow with big pay-offs.
Mark Bower is VP of product management and solution architecture for Voltage Security.