The Silver Lining of Recent Data Breaches

Retailers have always experienced a tension between investing to grow and investing to improve security. Not surprisingly, we’ve seen vulnerabilities arise when marketing and sales initiatives have trumped less sexy initiatives around security. In 2013, 61 million people had their personal data stolen from Target. One year later, 56 million credit and debit card numbers were exposed in Home Depot’s breach.



The good news is there’s reason to be hopeful. Recent developments in retail technology mean that growth and security initiatives no longer need to be mutually exclusive. You can have the best of both.



Resource Tradeoffs That Leave Retailers Vulnerable

Without a doubt, recent data breaches caused financial and reputational damage to the retailers involved. But how did they happen, and what are the common resource tradeoffs that make retail environments so vulnerable?



Here are some of the tradeoffs:

• 
  Legacy Systems: Most modern retailers are hamstrung by legacy hardware and software that optimize for high reliability. These inflexible environments make it difficult to deploy new security features. Necessary upgrades are often too burdensome to implement, leaving massive holes for hackers.

• 
  Open Networks: Historically, many retailers created isolated networks for their POS devices to keep payment data secure. However, evolving business needs — surfacing local inventory online, providing in-store WiFi, or even monitoring heating / cooling of POS (Target’s case) — require access to store networks. The push to quickly deliver these features often leaves the POS vulnerable. Open networks coupled with modern malware frameworks (BlackPoS, ChewBacca and BackOFF) enable cyber thieves to gain access and design attacks specifically targeted at the POS.

• 
  Unencrypted Data: Even though modern PIN pads support point-to-point encryption (P2PE), the challenge of making any change in a legacy environment means that most retailers haven’t enabled encryption — payment card data is still transmitted ‘in the clear.’ Further, because today’s PCI standards don’t require P2PE, many retailers have a false sense of security that they are safe. In fact, without encryption, open networks create an opportunity for a significant, large-scale attack.

What Is the Silver Lining?

In light of recent breaches, security is finally getting the attention and prioritization that it deserves. At the same time, developments in retail technology not only address security concerns, but also create new marketing opportunities. As a result, improving in-store security no longer has to mean diverting resources away from other initiatives.



Technologies like P2PE, EMV (Europay, MasterCard and Visa) and mobile payments provide the ingredients to secure in-store shopping, and modern PIN pads have the capability to enable all of these security enhancements.



Also, large touch-screens on new PIN pads provide a chance to engage customers and improve the in-store experience, creating a win-win for the entire business. These elements combine to create more secure transactions and high-touch customer engagement.



Secure Cards / EMV

EMV cards look like traditional cards, but have a microchip that make them much harder to compromise and counterfeit.



In addition, EMV ensures a secure physical interaction between the card and the reader. On Oct. 1, “Chip & Signature” became the standard for payment in the U.S. followed by “Chip & PIN”. An EMV card contains PIN information known only to the cardholder, enabling a special one-time-use security transaction code or "cryptogram" that only works when the actual card is present.



Secure Data / P2PE

But EMV only solves part of the problem. When any payment card is used upon checkout, the information is sent in plaintext over interconnected networks that can expose that data. The solution here? Point-to-point encryption that secures cardholder data in transit — from the moment it enters a PIN pad until it reaches the payment processor.



Mobile Payments

Mobile wallets like Apple Pay and Android Pay not only provide exciting new customer experiences but were designed from the ground up to enhance security with thumbprint authentication, card tokens and dynamic card data. Another win-win.



Onscreen Engagement

Modern PIN pads offer a critical marketing touchpoint and unique opportunity to engage with customers in an innovative, branded and personalized way. The touch-screen displays incorporated into the latest devices from Verifone and Ingenico allow for onscreen branded marketing, seamless email capture, and a streamlined checkout experience.



As we all know, there’s no silver bullet in data security. Understanding your unique vulnerabilities, and developing a strategy to address them, is the only way to stay out of an attackers crosshairs — and out of the headlines. Attackers are continuously trying to find new ways to infiltrate retailer networks and steal from customers. However, you do have the power to make your stores a significantly less attractive target by learning from recent data breaches and taking a comprehensive approach to security.



This moment of transition and resource allocation presents an opportunity for every retail organization — an opportunity not only to protect customer data, but to holistically improve the in-store experience. As you deploy modern PIN pads, strong cross-functional coordination can unlock the potential of these devices.



Alignment across security, technology and marketing departments makes it possible to deploy a solution that not only protects customers when they transact, but engages them and deepens their connection to your brand.

Marc Freed-Finnegan is co-founder & CEO of Index. He can be reached at [email protected]. Jonathan Wall is co-founder & CTO of Index. H can be reached at [email protected]. Index brings the personalization and measurement of online commerce to the offline world for enterprise scale retailers.