The October deadline for retailers to accept EMV (Europay, Mastercard, Visa)-compliant, chip-based payment cards or face increased fraud liability has placed payment card security in the industry headlines. While important, securing card-based payments at the store is one small facet of the huge undertaking retailers face in protecting their entire network.
For retailers, the broad concept of “security” encompasses specific areas, such as store systems, supply chain, financial data, third-party partners and the enterprise as a whole. In addition to preventing breaches and other harmful incidents, retailers that want to enact a truly comprehensive security plan must also include steps for detecting and remediating intrusions, as well as maintaining operational consistency during a response.
And the looming arrival of next-generation network technologies like quantum computing may create significant changes in the security landscape. But since EMV has been such a hot topic as of late, let’s start with a closer look at it.
EMV: As of Oct. 1, 2015, any retailer that does not have EMV-compliant hardware, software and operational and network protocols in place will be liable for fraud resulting from transactions with chip-based payment cards. The cost and effort required to achieve compliance with this mandate, as well as the potentially enormous resulting liability for non-compliance, has made EMV the retailer security topic du jour. Yet achieving EMV compliance is only one piece of the security puzzle, and not necessarily a vital one.
“EMV compliance is not as imperative if you don’t sell fenceable goods, such as luxury items or gift cards,” said William P. Freed Jr., manager, public affairs and issues for Visa Inc.
Tom Litchford, VP retail technologies, National Retail Federation (NRF), had similar thoughts.
“The liability shift is not a hard date,” said Litchford. “It’s mandated by card providers from a risk-management business perspective. Whoever is least secure has the liability.”
Most large retailers, such as Target and Wal-Mart, will have complied or come close to complying with the EMV mandate by the October deadline. For other retailers that have further to go (or haven’t started), Freed recommended using a qualified integrated reseller. However, he cautioned that resellers may present security vulnerabilities of their own.
“A lot of hackers are targeting resellers and integrators that are not using security best practices,” said Freed. “Some are using common passwords for remote maintenance practices.” Litchford said retailers embarking on EMV compliance need to determine such factors as whether they will use self-service or traditional POS, customer prompts and screen displays, and how checkout speed will be impacted.
“No matter what, start with customer experience,” advised Litchford. He also recommended retailers seek terminals that can walk customers through EMV-compliant transactions, as high cashier turnover will limit the help associates can offer, and study software specifications.
Freed and Litchford agreed that EMV compliance ultimately only protects payment card data at the point of sale, and does not prevent data breaches in other parts of the network. In addition, other countries that have implemented widespread chip-based secure payment card transactions have observed a resulting significant increase in online transaction fraud, which both experts expect to happen in the United States.
Network Integrity: In their intense focus on EMV compliance, retailers often fail to see the forest of the network for the trees of the POS. Craig Spiezle, executive director and president of the Online Trust Alliance and former director of product security and privacy, product management for Internet Explorer at Microsoft, said retailers need to understand POS security is part of a much larger effort.
“Retailers have looked at the POS and other individual network components as discrete, isolated silos,” Spiezle said. “Systems are interconnected. You compromise one, you compromise all.”
Spiezle cited the 2013 Target breach, which originated with the dedicated remote access of a third-party HVAC vendor being compromised, as an example of how an intrusion at any point in the network subjects the whole enterprise to risk.
“It’s a Titanic of a problem,” Spiezle said. According to Spiezle, retailers can eliminate a lot of potential security vulnerabilities by establishing firm administrative controls for their networks.
“A firewall is as good as how it’s secured and configured,” Spiezle said. “Default settings are not properly considered. Security is not in the four concrete walls of the store. Where is the data? Who has access and administrative privileges? Are the same credentials used for the salesforce also used internally?”
Thus, retailers need to make sure they follow security “basics,” such as revalidating data access when an employee is promoted and not reusing passwords.
“Too many people have broad global access,” Spiezle said. “You need to reduce the attack surface.”
Spiezle also offered some advice on how retailers can better identify when a breach has occurred, and ensure they remain in operation while compromised systems are remediated.
“Outside the firewall, data loss prevention technology can be added on top of large packets of data and detect unusual traffic,” explained Spiezle. “It acts as a ‘surge protector’ and will block traffic if there is too much activity, and prevent incidents before they become catastrophic.”
In addition, Spiezle said retailers should conduct a security audit of all third-party vendors, just as they would to verify factors such as price and service levels. And since criminals will often hold onto stolen credit card data for months as they attempt to boost its value by correlating it with other personal consumer data, retailers cannot wait until credit card data shows up on black market websites to determine if their customers’ information has been compromised.
“Look at log data regularly,” said Spiezle.
“Often, retailers only look once a problem is detected, which is too late. It’s like in-store security videos, which are only checked when there is a problem, but should be reviewed regularly or monitored in real time.”
Finally, retailers need to ensure they can still operate normally in the event systems go down due to a security breach.
“There need to be backup systems and copies of server software to mirror things, so there is redundancy,” said Spiezle.
Supply chain visibility: In the past few years, retailers have increasingly been turning to RFID technology to help them obtain an accurate, real-time view of their supply chain. While this provides the underpinnings of distributed order management and other omnichannel activities, it can also deliver substantial back-end security benefits.
“Security is usually, but not always, a second-order use case for RFID,” said Justin Patton, director of the RFID Lab at Auburn University. “Usually RFID is phased by category — you might start with jeans and then move on to basics.”
Patton said the typical value d