Taking the Blame — and the Lead — to Unite Against Data Breaches
By Erin Nealy Cox, Stroz Friedberg
Ever since the major retailer breaches last year, outsiders have been pointing fingers at the victim merchants demanding to know how something like this could happen. But cyber risk in the payment card industry is a problem greater than any one company. While there is much a retailer can do to secure its network, comprehensively mitigating this ever-present risk requires the participation and partnership of all parties that either touch retailer networks or are responsible for producing the sensitive payment information that retailers are obligated to keep safe.
I’ve been fighting cyber crime for many years, and I know from experience that hackers are highly motivated opportunists. They will run toward the biggest prize through the easiest door every time, and if they look hard enough, there is often a door they can pry open. Over the years, as technology has evolved, so have the hackers. A few years ago, attackers were “sniffing” credit card traffic from retailer networks. To quash this ability, retailers encrypted their internal payment card networks through which card data flows. So then hackers shifted their attack to point-of-sale machines stealing card information from memory. Moreover, as hackers have proven time and again, if a retailer is hard to exploit, the hacker will simply go through the weaker networks of their third-party vendors.
However, the war against payment card cybercrime can’t be won by isolated battles in retailer IT departments, and there is no single weapon that will end it. Rather, success requires retail industry leaders to work with multiple parties to holistically bolster their protections. The most important of these groups are the financial services industry, other retail companies, their third-party vendors, and every single one of their employees. Retailers must galvanize these disparate groups to fight together toward this cause.
A clear priority for retailers should be encouraging the financial industry to require the use of PIN numbers instead of signatures to support the technology that retailers are required to install by the October 2015 deadline set by MasterCard and Visa. The practical downside is that chip cards that require only signatures solely strengthen the security of in-store transactions. Online retail sales, positioned to bring in nearly $300 billion in 2014 according to Forrester Research, would still sit unsecured. The use of PIN numbers that apply to both in-store and online transactions would protect both arenas of commerce.
It’s important to note that this step-up in security isn’t only up to the retailers. Even if every retailer installed chip-and-pin systems and e-commerce operations put in place secure payment portals, the investment would be useless if banks did not require the use of PINs and were willing to forego the higher interchange fee. The new partnership formed by major finance and retail associations announced in February could be a valuable opportunity for the sectors to work together toward this objective. But even if they get there, a ubiquitous chip-and-PIN card system is not a panacea. As noted, hackers are a nimble enemy.
Another important aspect of fighting this adversary will be the willingness of retailers to share information, even with their biggest competitors. Rapidly sharing intelligence across the industry about malware, malicious IP addresses, and new methods of attack is critical. These announcements are not the same as broadcasting that you’ve been breached, but rather alerting other retailers of identified threats to make sure they are looking out for them as well. There is an existing system and precedent for this type of sharing — Information Sharing and Analysis Centers, known as ISACs. ISACs are entities established by sector companies that provide reliable and accurate information and analysis to the sector, and at times, other sectors and the government. The industry is already considering forming one. Common hacker targets like the electricity industry, the financial services sector, and healthcare infrastructure have their own ISACs. It’s time for retailers to have one, too.
Retailers also need to focus on their own expansive network of third-party vendors and their own employees to secure against unwanted intrusions. A retailer’s defense is only as strong as its weakest link. Retailers must vet and manage their outside partners to make sure they keep their security credentials and network secure. Employees of all kinds must be trained to recognize spearphishing emails, and policies should be implemented prohibiting them from downloading new software on to their workstations, as it can be hard to differentiate between safe and unsafe applications.
Partnerships with outside security consultants can also be valuable. External experts can audit existing security processes; identify exposure points in the digital network and physical footprint that may have been overlooked; and at the least, challenge and broaden the internal team’s perspective on cybercrime defense.
Retailers — a constant target of financially motivated hackers — must work tirelessly to mitigate the risk of data breaches, not only to protect themselves from massive fines, law suits, congressional inquiries, and a firestorm of blame, but to help protect the payment card industry as a whole. In the best circumstance, a retailer’s security system would incorporate reputable technologies, diligent and well-trained employees, and security-focused partnerships with financial services firms, third-party vendors, and other retailers and cyber security investigative firms, when necessary. Unfortunately, merchants, positioned to take the fall may need to be the ones to courageously stand up first and lead the change that’s beneficial to all. A lot to ask of a victim, don’t you think?
Erin Nealy Cox, executive managing director, Stroz Friedberg, a global investigations, intelligence and risk management firm. She can be reached at [email protected].
Kelly Osbourne gives style advice to pets
Television show host, actress and fashion designer Kelly Osbourne is spotting trends for PetSmart and its new line of creative grooming services, Pet Expressions and joining the specialty retailer’s omnichannel campaign.
The PetSmart salon touts its temporary, pet-safe chalking, stenciling and feathering services to dogs of all shapes and sizes.
“I’m known for holding nothing back when it comes to my style and my opinion, and I love extending that critical eye to fashion for my three beloved dogs,” said Osbourne, who is a pet parent to Willy, Story and Sidney. “Each of my dogs has its own personality, and PetSmart’s Pet Expressions helps them stand out and steal the spotlight.”
“Grooming is essential to a pet’s health and happiness, and Pet Expressions brings color and personality to the process,” said Anne Dament, PetSmart’s VP of services. “Kelly’s eye for style and love of dogs make her the perfect partner to share Pet Expressions’ fun and fabulous grooming options with pet parents and their dogs.”
PetSmart is the largest specialty pet retailer in North America with products and services for every type of pet.
Primark to make U.S. retail debut with store in Boston
Dublin, Ireland – Discount fast-fashion retailer Primark, the Dublin-based subsidiary of U.K. retail and consumer group Associated British Foods, plans to enter the United States, opening a location in Boston. The 70,000-sq.-ft. store will open at the end of 2015 and be on the site of the former Filene’s department store in the city’s downtown area.
In recent years, Primark has emerged as one of the fastest-growing retailers in western Europe. It has more than 270 stores in nine countries, including Spain, Portugal, Germany, France and the Netherlands.
Primark is in negotiations to open more stores in the Northeastern part of the United States through to the middle of 2016, according to reports.