U.S. retailers turn to security industry for help

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.stltoday.com/business/local/u-s-retailers-turn-to-security-industry-for-help/article_9933b061-bedf-54f7-a001-39b9ef66c5a7.html

VeriFone Systems, EMC's RSA and Ingenico are poised for a gain in sales as
U.S. retailers turn to makers of payment terminals and security software
for help shoring up their anti-hacking defenses.

Ever since Target disclosed in December that hackers stole financial data
from 40 million customer accounts, companies as disparate as casinos,
grocers and luxury-goods stores have requested help to make customer data
more secure, say payment technology executives. Interest surged anew when
Neiman Marcus said it too had been hit and Michaels Stores also reported
its customer data may have been compromised. Concerns over consumer data
are taking center stage again this week as Target and Neiman Marcus
executives began testifying before Congress.

VeriFone's revenue from point-of-sale hardware bought by big retailers in
North America will surge 15 percent this year starting in April, estimates
Wayne Johnson, an analyst at Raymond James & Associates. By the end of
2013, as many as 50 percent of U.S. retailers will have installed terminals
capable of handling more secure chip-based cards, Gil Luria, a Wedbush
Securities analyst, said in a note.

"This will get retailers to spend more on security, which is good for
VeriFone and Ingenico," Luria said in an interview. "These hacks will
encourage retailers to buy more new chip-enabled terminals."

For retailers, options include beefing up efforts to stave off phishing
attacks, accelerating a move to credit cards with chips embedded, rather
than magnetic strips, and encrypting data as it moves from checkout
terminals to remote servers.

Such purchases would indicate an increase in spending by U.S. chains, which
for years have invested far less than other industries on data security,
making them more vulnerable to attacks than retailers in Europe. The U.S.
accounts for almost half of $12.42 billion in annual global fraud losses on
payment cards, according to the Nilson Report, an industry newsletter in
Carpinteria, Calif.

Constrained by thin margins, U.S. retailers traditionally have focused
technology investments on building customer- friendly websites, among other
priorities, said Greg Buzek, president of IHL Group, a retail-technology
consulting firm based in Franklin, Tenn.

They also were aware that the impact of data breaches typically faded fast,
including one at TJX Cos. that affected more than 100 million people last
decade.

U.S. chains can shrug off data breaches no longer. Last month, the FBI
warned some retailers that attacks are on the rise, said Jenny Shearer, a
spokeswoman.

There is evidence that the attacks are spooking some consumers. While many
retailers struggled to lure shoppers this holiday season, Target said sales
at its U.S. unit were "meaningfully weaker" after disclosing the data theft.

John Mulligan, chief financial officer of the chain, apologized to U.S.
lawmakers at the hearing Tuesday for the data breach and said security will
be improved as Target speeds up implementation of chip-enabled card
technology.

"I want to reiterate how sorry we are that this has happened," Mulligan
said.

The chain also could face as much as $1.1 billion in payments to banks
related to the data breach, Jason Kupferberg, a Jefferies analyst, said in
a Jan. 29 report.

"All the large retailers are looking to ensure this doesn't happen to
them," said Thierry Denis, president of Ingenico North America, a French
maker of payment terminals. "Before they would have said, 'No, we don't
want to spend money on security.' Now they know they'd better spend more."

In the past couple of years, retailers have begun preparing for a switch
from cards with magnetic stripes to ones based on chips already widely used
in Europe. Holders of such cards typically enter passwords when making a
purchase, adding an extra layer of security.

Chains may now accelerate installations of EMV -- Europay, MasterCard and
Visa -- terminals, which work with chip-based cards, Luria said.

He expects the surge in the technology's adoption to increase VeriFone's
sales by $50 million in fiscal 2015, and another $50 million in fiscal
2016. That would add about 15 cents to VeriFone's earnings for each of
those years, Luria said in a Jan. 28 note.

Since Target disclosed the breach, shares of VeriFone have gained 21
percent. Ingenico has gained 9.7 percent while EMC is little changed. The
Standard & Poor's 500 Index has declined 3.1 percent in the period.

Industry analysts say chip-based cards wouldn't have stopped the hackers
from gaining access to Target customer data. In that case, the criminals
likely sneaked in after the cards were swiped and during the brief period
unencrypted data moved to the chain's servers, Kupferberg said in the
report.

Now retailers are shopping for software that encrypts data for the entire
payment process, according to Ingenico's Denis.

"Encryption may not have been at the forefront of discussions, as EMV was,"
he said. "Now they're asking about both."

So-called point-to-point encryption can cost "millions of dollars," said
Robert Sadowski, director of technology solutions for RSA, which is based
in Bedford, Massachusetts.

Those purchases may be approved now that retailers' executives and board
members are getting involved in overseeing the efforts to protect their
companies from breaches.

"There's more interest by the boardroom, more interest by the CEO, by the
CTO," said Tiffany Jones, senior vice president of client solutions for
iSight Partners, a Dallas-based data security firm.

Defenses against phishing attacks -- when criminals lure unsuspecting
shoppers to bogus sites that trick them into typing in their passwords --
are another top priority for retailers, according to Steve Ward, the
marketing chief at Invincea, a data-security company based in Fairfax, Va.

After the government issued a warning on Jan. 2 identifying phishing as a
big security risk, Invincea saw a spike in calls from what Ward calls a
who's-who of retailers.

"We've had seven or eight calls where they literally say, 'Can you come in
tomorrow?' " Ward said. "We've seen an insane flood of interest."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!