Tom Litchford is former vice president of retail technology at the National Retail Federation, where he led and managed NRF’s technology leadership community, including the CIO Council and the IT Security Council. Here, Litchford speaks with STORES magazine contributing editor David P. Schulz about current cybersecurity issues in retailing.
Attention is again focused on protecting consumer data and, by extension, payment security. How has the implementation of the Europay Mastercard Visa technology been progressing in the retail industry and what have the early assessments been?
Just to clarify, there is a significant difference between a data breach that has payment card data stolen, and one that has personally identifiable information data stolen. From a consumer perspective, the first is a nuisance and the other has potential serious consequences. The loss of name, address, Social Security number and in some cases driver’s license poses a very serious identity theft issue for consumers that can cause financial problems when getting a loan or new credit card, or even being wanted for a crime.
Specific to EMV, or chip cards — they were designed to protect against two things, and only two things: lost or stolen cards and use of counterfeit cards in physical stores. EMV does nothing to actually protect the card number itself, so in theory, EMV card numbers stolen in a data breach can still be used, for example, to make online purchases. In fact, I’ve seen statistics that indicate over 60 percent of the stolen card numbers for sale on the “dark web” are EMV, or chip-enabled cards!
To truly curtail the usefulness or monetization of stolen credit card numbers to the bad actors, the financial issuers should have PIN-enabled the cards, just like debit cards are — which of course they’ve chosen not to.
Finally, while the retail industry has done a good job of implementing the required technology to accept EMV cards — at great expense — there are some still waiting for certification from the financial industry before they can turn that capability on. Hence, you will see hardware at the stores ready to go but a sign saying, “Please swipe.”
Further, many retailers, knowing that EMV is really not the answer to the problem and that protecting their customers’ data is imperative, have opted to implement point-to-point encryption, which encrypts the payment data from the time it’s swiped or dipped to the time it gets to the financial processor. This totally eliminates the payment card “threat surface.”
As you mentioned, there is more than EMV technology to protecting customer information, including point-to-point encryption. What are some of the things retailers are doing with multi-factor authentication and other defenses to keep their networks strong?
Many retailers have opted to implement P2PE for the transaction authorization process. In fact, in our last survey of the NRF CIO Council, it was over 90 percent. Corresponding to P2PE, on the back end they use a technology called tokenization, which replaces the real card number with a token, or random number. With tokenization, payment card data retained at the retailer for use in returns, for example, is then also rendered useless if stolen.
With P2PE and tokenization technologies, retailers have effectively removed the payment card threat surface, but that doesn’t address other sensitive corporate data. Hence, many are now looking at multi-factor authentication. Considering the majority of retailer breaches originated with a credential-stealing phishing email, and many are at their third-party suppliers, multi-factor analysis is an effective tool to try and eliminate that threat surface.
With multi-factor analysis, in addition to your normal user name and password to log on to a system, you must also provide something you have in your possession like a token number or an SMS one-time use code. Similar to P2PE, the bad actors can steal a user’s credentials, but they won’t have the token or SMS code. So I think you’ll see retailers aggressively implementing multi-factor analysis first to their third-party suppliers, then to their privileged users, then to all employees and eventually to customers using their websites.
With retailers operating in so many locations and with so many employees spread throughout the chain, how are retailers training and educating new associates on policies and procedures regarding payment card security specifically and customer data in general?
There is a strong emphasis on educating employees about phishing emails. The NRF Retail Information Sharing and Analysis Organization and its corresponding Threat Alert System pushes about 12-15 cyber alerts per day, and I would surmise that 90 percent of them pertain to malicious phishing emails.
In a recent study on payment security, Verizon found a high degree of correlation between payment card security and retailers’ ability to defend against cyberattacks. How does strengthening payment card security help strengthen a company’s capability to fight cyberattacks?
I think the reference here is specific to Payment Card Industry Data Security Standards Council regulations, which were designed specifically to better secure payment data. While PCI provides a strong security foundation, there is much more to a retailer’s cyber defense program than that. I think you’re seeing a lot more investment around monitoring, detecting and mitigating a cyber breach as opposed to just perimeter defenses. Again, this isn’t just about protecting payment data, but all corporate sensitive data such as human resource records, financial data, acquisition plans, etc.
Though not necessarily related to payment card security, ransomware attacks, sophisticated phishing incidents and pretexting have been increasing over the last year. What are retailers doing to combat these types of cyberattacks?
Malicious phishing emails are the number one tool used by cyber criminals because, well, they work. And as you mentioned, they’re getting more sophisticated — these aren’t emails from princes in Nairobi. They look like emails from your CEO, or a resume from a job seeker.
Teaching employees to have a healthy skepticism is critical. Kind of like the physical security signs you see everywhere now — if you see something, say something. If you get something you didn’t go looking for, don’t click on anything! And share it with your cybersecurity team, who can then share back to the Retail ISAO. From there we can analyze it and provide appropriate alerts back to all retailers, collectively protecting the whole industry.
Is there a point where spending more time and money on data security generates diminishing returns by taking resources away from the business side of retailing, i.e., selling goods?
I believe the question isn’t about spending on cybersecurity as much as the business risk you’re taking implementing technologies to drive innovation and the customer experience. Then you spend appropriately on the security required to protect the data associated with those investments.
As retailers lock down and continue to reduce more and more of their cyber threat surface, the bad actors — being generally lazy — will move on to easier and greener pastures.
David P. Schulz has been writing for STORES since 1982 and is the author of several non-fiction books.