Michaels Stores’ Breach Ups the Ante for Retail Data Security
By Mark Bower, Voltage Security
If retailers want to address credit card breaches head-on, then they need to join the leaders already taking their systems off the radar of advanced malware based attacks — especially any retailer that’s seen repeated attacks, which illustrate that traditional IT defenses simply don’t cut the mustard.
Breaches like this can be completely neutralized by using modern encryption techniques to take cardholder data out of the scope of attacks on vulnerable POS systems — including memory scrapers like those used at Target and others. By encrypting data the instant it is read by the hardened card reading device and protected end-to-end using format-preserving encryption technology, the data is neutralized from attack, but compatible with the payment flow to the protected processing host for hand-off to the card brands and issuers. If an attack takes place in the POS or upstream, the attacker gets absolutely nothing.
Several major U.S. retailers use it already, as do six of the eight biggest acquirers, even mom-and-pop stores. The technology can be readily applied even to older retail ecosystems — so retail CFOs don’t have to be concerned with major store retrofit costs.
Prior to the Michaels disclosure hitting the headlines, the National Retail Federation announced a new cybersecurity information-sharing platform for retailers and merchants in conjunction with the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Information sharing and analysis centers (ISACs) are a proven way for organizations to hear from peer organizations about emerging advanced threats to data, criminal behavior patterns, best practices to manage risk, and as a forum to learn about how new technologies, like data-centric encryption and tokenization, can mitigate them economically. FS-ISAC has set the bar high with regular industry events, advance notifications, training and education programs for the banking sector already. Extending this to retail entities makes a lot of sense and facilitates a no-nonsense vehicle to solve problems quickly across industry participants.
While advanced technology can solve big risk issues, one of the biggest gaps industry faces today is education and understanding the true cost and risk of advanced threats when they hit vulnerable entities. Hearing from leaders and experts that have experienced such attacks first hand and stepped up to modernize their data security strategy to turn the tables on the attackers can be a fast track for others to follow with big pay-offs.
Mark Bower is VP of product management and solution architecture for Voltage Security.
Winning the race for omnichannel excellence
In the last 12 months the buzz around omnichannel has become the most consistently discussed trend for major retailers. It’s always noteworthy when a trend emerges and becomes a part of the mainstream conversation so quickly, but what is even more noteworthy is how fast omnichannel has become standard operating procedure.
This has left many retailers simultaneously trying to understand the impacts of omnichannel on their business, while trying to successfully merge their retail and e-commerce business into a seamless experience for their customers across the brand. The biggest reason that omnichannel has transitioned so quickly is because the change is being driven at the customer level. Customers want to research, experience, purchase and then return merchandise in ways that are convenient to them. They are more willing to look across multiple retailers’ touchpoints before making final decisions. Things become challenging when retailers begin to examine the impacts of these shifts and find themselves needing to make comprehensive changes across their channels very quickly while allowing for the nuances of each type of business.
For example, online shopping has its own seasonality in relationship to demand trends and pricing. As a result, rules for inventory allocation and replenishment can become very complex. Many retailers do not have the integrated analytic solutions needed to accurately predict and respond to online and brick and mortar customer demand. They are forced to navigate through many manual processes across disconnected and static solutions for business intelligence, analytics and execution. The challenge is profitably moving inventory to address this new age of cross channel demand. Does the retail store or the online order get priority when it comes to inventory allocation? Is it better to fill an online order (immediate demand) if it means shorting a store (future demand)? Many retailers find that filling online orders with inventory allocated to stores may impact more than that single item and affect the store level assortment needs. Retailers need to understand and consider the in-store probability of a full priced sale as well as in-store ancillary sales to make an informed decision. Multiply this decision across thousands of items and it becomes clear why so many retailers are exploring their options in better understanding customer demand metrics with advanced technology solutions.
Transparency in understanding the impacts of omnichannel behavior on demand and the consequential inventory adjustments on the overall allocation needed is the first step for many retailers. Omnichannel represents an array of potential interaction points between the consumer and the retailer including researching, experiencing, buying and potentially returning of the product. Understanding all of them while addressing the day-to-day needs of their shoppers is an area many retailers are racing to better address. At the same time, retailers need to assess if their current allocation and replenishment model is adaptable and responsive enough to address customer behavior across channels highlights the need to make additional investments to better support those views. Even established retailers with a significant amount of channel related experience can underestimate how different and difficult it is to efficiently and profitably fill orders from any location or channel without impacting other parts of their business model. There is no doubt that omnichannel is driving the need for more sophisticated allocation and replenishment strategies to successfully marry the customer’s brand experience with supply chain efficiency to fully maximize the retailer’s inventory investment.
As retailers significantly ramp their investments in managing the brand experience and managing the touch points with their customers as closely as possible, they are thinking more and more about specific ways to recoup those investments. For many ensuring they are benefiting from the monetization of that investment by ensuring their ability to profitably fill the orders via an accurate and responsive view of allocation and replenishment is key. Fundamentally, retailers who can successfully aggregate their present and future demand with their inventory are poised to take advantage of a number of unique opportunities for a redefined level of success.
Scott Aubitz is the CMO and VP of product strategy for Minneapolis-based Quantum Retail. Quantum offers the retail industry solutions for understanding product demand based on consumer behavior and turning that understanding into actionable results. Quantum Retail’s Allocation, Replenishment and Order Planning solutions increase profitability by helping merchant’s to be more responsive and by supporting their Multichannel and International objectives easily and accurately. For more information, go to http://quantumretail.com/home2.
Michaels emerges largely unscathed by data breach
Michaels assured customers a previously disclosed data security issue had been fully contained and raised the disconcerting prospect that it is only possible to make such a claim after a breach has been detected.
The company said in January that it learned of possible fraudulent activity on some U.S. payment cards that had been used at it stores. An extensive investigation ensued that involved two independent security firms who, along with the company, worked closely with law enforcement authorities, banks and payment processors to determine what happened.
What happened was criminals using highly sophisticated malware that Michaels said the security firms it retained had not previously encountered managed to breach its systems and potentially impacted 3 million payment cards used at its Michaels and Aaron Brother stores. The company operates more than 1,135 Michaels stores in 49 states and Canada and 119 Aaron Brothers stores in 9 states.
The investigation determined that the attacks at Michaels stores targeted a limited portion of point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. The analysis conducted by the security firms and the company revealed approximately 2.6 million cards may have been impacted, representing about 7% of payment cards used at Michaels stores in the U.S. during the period of time when the attacks occurred. At the company’s Aaron Brothers stores, an estimated 400,000 cards were potentially affected between June 26, 2013 and February 27, 2014.
“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused. We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services,” said Michaels CEO Chuck Rubin. “Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers. In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
With the issue now said to be fully contained and no longer a threat, the disconcerting issue for Michaels and really every retailer is that it took Michaels almost nine months to discover cyber criminals had breached its systems. The good news, if it can be called that, is that the bad guys apparently did little damage. According to Michaels, the affected systems contained certain payment card information, such as card numbers and expiration date, about both Michaels and Aaron Brothers customers, but there was no evidence that other customer personal information, such as name, address or PIN, was at risk. In addition, the company said it had received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.