The Silver Lining of Recent Data Breaches
Retailers have always experienced a tension between investing to grow and investing to improve security. Not surprisingly, we’ve seen vulnerabilities arise when marketing and sales initiatives have trumped less sexy initiatives around security. In 2013, 61 million people had their personal data stolen from Target. One year later, 56 million credit and debit card numbers were exposed in Home Depot’s breach.
The good news is there’s reason to be hopeful. Recent developments in retail technology mean that growth and security initiatives no longer need to be mutually exclusive. You can have the best of both.
Resource Tradeoffs That Leave Retailers Vulnerable
Without a doubt, recent data breaches caused financial and reputational damage to the retailers involved. But how did they happen, and what are the common resource tradeoffs that make retail environments so vulnerable?
Here are some of the tradeoffs:
- Legacy Systems: Most modern retailers are hamstrung by legacy hardware and software that optimize for high reliability. These inflexible environments make it difficult to deploy new security features. Necessary upgrades are often too burdensome to implement, leaving massive holes for hackers.
- Open Networks: Historically, many retailers created isolated networks for their POS devices to keep payment data secure. However, evolving business needs — surfacing local inventory online, providing in-store WiFi, or even monitoring heating / cooling of POS (Target’s case) — require access to store networks. The push to quickly deliver these features often leaves the POS vulnerable. Open networks coupled with modern malware frameworks (BlackPoS, ChewBacca and BackOFF) enable cyber thieves to gain access and design attacks specifically targeted at the POS.
- Unencrypted Data: Even though modern PIN pads support point-to-point encryption (P2PE), the challenge of making any change in a legacy environment means that most retailers haven’t enabled encryption — payment card data is still transmitted ‘in the clear.’ Further, because today’s PCI standards don’t require P2PE, many retailers have a false sense of security that they are safe. In fact, without encryption, open networks create an opportunity for a significant, large-scale attack.
What Is the Silver Lining?
In light of recent breaches, security is finally getting the attention and prioritization that it deserves. At the same time, developments in retail technology not only address security concerns, but also create new marketing opportunities. As a result, improving in-store security no longer has to mean diverting resources away from other initiatives.
Technologies like P2PE, EMV (Europay, MasterCard and Visa) and mobile payments provide the ingredients to secure in-store shopping, and modern PIN pads have the capability to enable all of these security enhancements.
Also, large touch-screens on new PIN pads provide a chance to engage customers and improve the in-store experience, creating a win-win for the entire business. These elements combine to create more secure transactions and high-touch customer engagement.
Secure Cards / EMV
EMV cards look like traditional cards, but have a microchip that make them much harder to compromise and counterfeit.
In addition, EMV ensures a secure physical interaction between the card and the reader. On Oct. 1, “Chip & Signature” became the standard for payment in the U.S. followed by “Chip & PIN”. An EMV card contains PIN information known only to the cardholder, enabling a special one-time-use security transaction code or "cryptogram" that only works when the actual card is present.
Secure Data / P2PE
But EMV only solves part of the problem. When any payment card is used upon checkout, the information is sent in plaintext over interconnected networks that can expose that data. The solution here? Point-to-point encryption that secures cardholder data in transit — from the moment it enters a PIN pad until it reaches the payment processor.
Mobile wallets like Apple Pay and Android Pay not only provide exciting new customer experiences but were designed from the ground up to enhance security with thumbprint authentication, card tokens and dynamic card data. Another win-win.
Modern PIN pads offer a critical marketing touchpoint and unique opportunity to engage with customers in an innovative, branded and personalized way. The touch-screen displays incorporated into the latest devices from Verifone and Ingenico allow for onscreen branded marketing, seamless email capture, and a streamlined checkout experience.
As we all know, there’s no silver bullet in data security. Understanding your unique vulnerabilities, and developing a strategy to address them, is the only way to stay out of an attackers crosshairs — and out of the headlines. Attackers are continuously trying to find new ways to infiltrate retailer networks and steal from customers. However, you do have the power to make your stores a significantly less attractive target by learning from recent data breaches and taking a comprehensive approach to security.
This moment of transition and resource allocation presents an opportunity for every retail organization — an opportunity not only to protect customer data, but to holistically improve the in-store experience. As you deploy modern PIN pads, strong cross-functional coordination can unlock the potential of these devices.
Alignment across security, technology and marketing departments makes it possible to deploy a solution that not only protects customers when they transact, but engages them and deepens their connection to your brand.
Marc Freed-Finnegan is co-founder & CEO of Index. He can be reached at [email protected]. Jonathan Wall is co-founder & CTO of Index. H can be reached at [email protected]. Index brings the personalization and measurement of online commerce to the offline world for enterprise scale retailers.
Kurt Salmon adds digital tech agency
Global management consultancy Kurt Salmon is acquiring digital retail technology agency Mobispoke LLC, the engine behind such technologies as smart fitting rooms, integrated mobile apps and other leading-edge, interactive shopping experience technologies.
Following the acquisition, Mobispoke will rebrand as Kurt Salmon Digital and will operate as a wholly owned subsidiary of Kurt Salmon.
The acquisition evolved from a longstanding relationship during which Kurt Salmon and Mobispoke have provided such leading national retailers as Bloomingdale’s, Dick’s Sporting Goods and Puma to integrate and personalize consumers’ physical and digital customer experiences across the Web, mobile, social channels, and brick-and-mortar locations.
“Bringing Mobispoke’s cutting-edge digital capabilities in-house under the Kurt Salmon brand continues our drive to help clients best implement the innovative technologies that are the future of omnichannel retail,” said Brooks Kitchel, managing partner for North America and the Global Retail and Consumer Group at Kurt Salmon. “This strategic acquisition opens up some really exciting avenues to push the envelope and develop new technologies and transformative strategies that will help us secure success for what’s next for our clients.”
Lowe’s helps communities devastated by flooding
Lowe's is coming to the aid of the communities it serves with a donation to help provide relief in the wake of massive flooding in the Southeast.
The retailer plans to donate $500,000 to American Red Cross Disaster Relief and work to provide both immediate and long-term support to local communities in the Southeast.
"Our thoughts are with the thousands of residents, including Lowe's employees, who've been affected by the widespread flooding," said Joan Higginbotham, Lowe's director of community relations. "Our Lowe's Heroes are standing by to assist and will be lending a hand to help with recovery and rebuilding efforts."
The donation to the Red Cross will help provide food, shelter and comfort to those impacted by this weekend's historic rainfall. In addition, Lowe's has activated its American Red Cross customer donation program in all 161 stores in the Carolinas to provide a convenient place for customers to make a donation. People can also make a contribution online via the Lowe's American Red Cross Online Donation Site.
Lowe's has shipped truckloads of emergency supplies to the affected area, and Lowe's stores and national disaster relief partner, the First Response Team of America, have also been assisting with relief efforts.
As a member of the Red Cross' Annual Disaster Giving Program, Lowe's pledges donations on an ongoing basis in advance of disasters to help ensure the Red Cross can take immediate action. Individuals can team with Lowe's and the American Red Cross to provide assistance by donating atLowe's American Red Cross Online Donation Site, by texting the word REDCROSS to 90999 or calling 1-800-RED CROSS (1-800-733-2767).
Since partnering with the Red Cross in 1999, Lowe's and its customers have contributed more than $25 million for disaster relief.