What the CFO Needs to Know: Data Breaches

▲ Data breaches are on the rise: Mounting an attack on retail systems has become increasingly attractive to attackers because malware can be delivered at very low cost, according to Mark Bower, VP product management and solutions, Voltage Security, a Cupertino, California, provider of data-centric encryption and tokenization.



“So it becomes very attractive to attackers to try and steal credit card and personal data they can monetize very quickly,” he added.



As to the role of a financial chief, “the CFO has the responsibility to look at overall risk in the organization, and data security has become a big factor in risk mitigation,” Bower said. “When a data breach happens, it will damage the brand and consumer trust, which impacts revenue and results in unforeseen costs to the organization.”



▲ Chip and PIN versus chip and signature: The global Europay, MasterCard and Visa (EMV) protocol mandates that payment cards store data in a secure embedded microchip, rather than in an unprotected magnetic stripe, as is common in the United States. Customers then further verify their identity with either a secure PIN number or a signature.



The cost of either identity verification method is similar, but most industry experts are promoting chip and PIN as more secure. While a criminal who steals or finds a chip and signature card can still forge the signature (especially as it is often on the back of the card), PIN-based identity verification eliminates this threat. Target has committed to spend up to $100 million to reissue all the debit and credit cards in its branded REDcard portfolio using chip and PIN technology from MasterCard.



“The chip validates that it’s the real card,” said Tom Litchford, VP retail technologies for the Washington, D.C.-based National Retail Federation. “The PIN provides two levels of validation.”



▲ Upcoming shift in fraud liability: Liability in fraud resulting from retailer security breaches currently rests with financial institutions. But as of October 2015, any U.S. retailer that experiences card fraud relating to a customer using chip-based cards must assume any costs if they do not have equipment that can process chip-based card payments. However, selecting, implementing and training associates to use that equipment will take time.



“Our goal is to start migrating right away,” Litchford said.



▲ Total switching costs: The NRF estimates that switching to either form of chip-based card verification would cost the U.S. retail industry $20 billion to $30 billion during a period of several years. The NRF wants the financial industry to shoulder some of the cost, but the switch will still prove costly to retailers. Reluctant CFOs should consider that Target reported costs relating to its data breach of $61 million in the fourth quarter of 2013 alone, and quarterly sales (including the holiday period) fell 5.3%.



Gartner has estimated the breach will cost Target $400 million to $450 million in total, and then there are qualitative costs like eroded customer trust and loyalty. Data security requires significant upfront investment, but CFOs need to understand the long-term financial implications of skimping on this critical expense.



▲ Data-centric security: Data-centric encryption and tokenization is a highly effective means of protecting card data once it has moved into a retailer’s network. This type of data protection, for example, would have made the Target breach, which attacked POS data inside databases once it had left the card, much more difficult. Data-centric security solutions neutralize the data when the attack happens, so the attacker gets nothing of value.

Cost-Effective Prevention

There are cost-effective and easy measures retailers can take to protect themselves. For example, Verizon data shows that nearly eight-in-10 cyberattacks originate in Eastern Europe, with 58% coming from Romania, 12% from Armenia and 8% from Russia.



“You can mitigate the vast majority of attacks by blocking out parts of the world where you don’t do business,” said Dallas-based Bryan Sartin, director of risk for Verizon enterprise solutions. “The technology and know-how have been around since the mid-1980s.”



The use of two-factor authentication can help greatly reduce the innate risk associated with giving outside parties access to your network, according to Sartin. To use the well-known example of criminals using phony vendor credentials to enter the Target network through a dedicated VPN link, if those credentials had been bolstered with the requirement of a PIN not stored on the vendor PCs, the attack would have never happened. And basic video and alarm security systems greatly reduce the opportunity for thieves to gain unauthorized access to card readers.