Retail's Data Security Challenge

As the number of data breaches mount, retailers are fighting back with tighter security measures. Here's where companies are making progress and where they've stumbled.
Customer Experience

Target's December 2013 data breach had huge implications. Frustrated customers, fearful of using their credit cards or sharing their data, shopped elsewhere, resulting in a 46 percent drop in earnings for that period compared to the same period in 2012.

The fallout from the Target breach shows how wary customers will stop doing business with retailers that don't take action to protect their data. As 2016 approaches, the question remains: What are organizations doing to protect, monitor, and reconcile their critical data?

In today's increasingly digital-first world, it's no surprise that cybercriminals are pursuing personal records that enable them to make purchases and/or sell information to other parties. Retailers are fighting back by closing gaps in their security measures, installing new point-of-sale systems, changing passwords, and more.

After Target's sales system was breached, for example, the retailer focused on making it more difficult for criminals to hack into its databases. Target opened a Cyber Fusion Center at its headquarters in Minneapolis that is designed to enable the security team to more easily and quickly collaborate and respond to issues. Launched in late 2014, the center houses security teams including a Cyber Security Incident Response team that monitors systems and networks, a Cyber Threat Intelligence team that analyzes trends and patterns in cyberspace, and a Security Testing Services team that evaluates new and existing technology to identify areas of concern.

Target is also in the process of reissuing its REDcard credit and debit cards with new chip-and-PIN features that make it more difficult for fraudsters to duplicate a physical card. Even if criminals get a hold of the transactional code, it's worthless because the transaction code works only once. Although not required by law, retailers have been urged to start accepting the new cards by October 2015. Companies such as Best Buy, Lowe's, Macy's, Home Depot, and Old Navy, have also installed chip-and-PIN card readers.

Many major retailers have taken "great strides" in securing their customers' data, observes Brian Dodge, EVP of communications and strategic initiatives at Retail Industry Leaders Association. However, efforts at implementing stronger data security have been "uneven" across the retail industry, he adds. Retailers have made a lot of progress in improving data security measures, "but there are limitations to what they can do alone," Dodge says.

A recent report byJavelin Strategy & Securitypredicts that universal adoption of chip technology, which is defined as 85 percent of merchants accepting them, will take until 2019. Retailers have invested $8.6 billion in upgrading card terminals to accept the new chip-and-PIN cards, however many other retailers are still waiting for the card processing networks, such as Visa and MasterCard, to provide the technical specifications of the readers as well as the certifications needed to turn on the new systems, Dodge explains.

"Even if retailers have installed the new card readers, they still need to be certified by the card networks in order to turn them on, and so they're waiting," Dodge says. And if a customer attempts to use a chip-enabled card at a retail location but is unable to, the merchant, not the credit card company, is responsible for any loss due to fraud. "It's an extremely frustrating situation," he adds. "Because during that time retailers are exposed to potential fraud penalties through no fault of their own."

Although it's important for retailers to be able to accept the new chip-and-PIN cards, it's not enough, observes John Pescatore, director of emerging security trends at SANS Institute, a private firm that specializes in information security and cybersecurity training. "The chip and PIN upgrade on POS terminals only helps when a card is present," Pescatore notes. "It won't prevent online fraud and criminals have many other ways to get in."

In addition to improving the security of credit and debit cards, companies should focus on "basic security hygiene" such as educating their employees on how to identify and avoid phishing attacks. "When you look at these data breaches, many have been enabled by a lack of simple security hygiene," Pescatore says. "For example, the OPM breach involved a phishing attack that was able to compromise millions of records."

In June, the Office of Personnel Management (OPM) learned that it had suffered a cybersecurity incident that exposed the personally identifiable information of many current and former federal employees. Soon after that, the U.S. Computer Emergency Readiness Teamissued an alertwarning of a second phishing scam that was using emails that appear to be from the OPM or the identity protection firm CSID, which OPM hired to help with the notifications.

"Educating employees in any industry on best practices for protecting data and regularly informing them of tactics that they should be wary of can do a lot in preventing a cyberattack or at least reduce its impact," Pescatore advises. "That also helps security experts focus on the more sophisticated attacks."

Companies, Pescatore adds, should also consider implement stronger authentication measures such as two-factor authentication that requires users to verify their identities with a combination of ID forms such as a PIN and a code that's sent to their email addresses or texted to their devices. However, some customers may balk at having to take numerous steps to complete a transaction. Acknowledging that customer convenience is critical, retailers are demanding other solutions that protect sensitive data without slowing down the transaction, Dodge says.

"Data encryption is another important investment for retailers," he says. "Encrypting cardholder data from the moment the customer swipes or enters their card information on a website is a powerful tool to protect information as it gets processed through any system. And so we're seeing retailers begin to invest in solutions that use data encryption methods as well."

It's also important to remember that brand trust is critical. Consumers understand the importance of guarding sensitive information, but they are willing to share it with companies they consider trustworthy. In fact, in a survey of more than 8,000 consumers, 75 percent said they are more willing to share various types of personal data with a brand they trust, reported Columbia Business School in a report sponsored by Aimia, a marketing and loyalty analytics company.

What makes a brand trustworthy? "Demonstrating that you're putting the customers' interests first by providing them with valuable offers and reliable service in exchange for their personal information are some of the ways that a brand can build trust," notes Matthew Quint, director of the Center on Global Brand Leadership at Columbia Business School and a co-author of the report.

For instance, even though the respondents reported the lowest comfort with how e-commerce companies handle their personal data in comparison to other industries like financial services, telecommunications, and airlines, the Amazon brand had such a strong positive impact that consumers gave it a 13 percentage point boost in their willingness to share PII data with Amazon compared to other brands. "Amazon built its brand through customer experience, which we believe contributes to customer trust," says David Rogers, a member of the Executive Education faculty at Columbia Business School who co-authored the report with Quint.

But as data breaches grow, consumers are likely to become more protective of their data and so companies will have to work harder to gain their trust, Rogers adds. Giving consumers the choice of storing their payment information with a retailer or entering it each time they make a purchase, for example, gives consumers more control over their data and can help them feel more comfortable. "Being transparent about what you do with your customer's data and how you're keeping it safe is becoming more important than ever," Rogers notes.