BreachExchange mailing list archives
Security Breaches Trigger Retail’s Big Players to Call for Major Tech Changes
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 9 Sep 2014 19:50:54 -0600
http://blogs.wsj.com/cio/2014/09/05/security-breaches-trigger-retails-big-players-to-call-for-major-tech-changes/ The possible credit card breach at Home Depot Inc. prompted the retailer to speed up its implementation of chip-reading credit card terminals. Major credit card companies, too, have announced they will accelerate efforts to bolster electronic payments security and protect sensitive customer data. These moves could have a large impact on consumer confidence, which has suffered as a spate of cyberattacks hit major companies. But for retailers especially, the implementation of the new systems will take time, and are not a panacea for a company’s security risks. Home Depot CEO Frank Blake told investors Thursday that the retailer would activate chip-reading technology on its new credit-card terminals by the end of this year. He said the company is “working around the clock” to find a breach linked to stolen credit and debit cards,” the WSJ’s Shelly Banjo writes, but stopped short of confirming an actual breach occurred. Following its own massive cyberattack, Target Corp., too, is speeding up the implementation of smart card technology, with plans to equip its proprietary REDcards and all of its card readers with chip-enabled technology by the first quarter of next year. Separately, credit card companies are also ramping up security efforts. Visa Inc. and MasterCard Inc. said they are rolling out “tokenization” technology that replaces sensitive cardholder information with a unique series of numbers used to identify customers. That move stands to cut significantly the amount of valuable information available to a hacker, writes the WSJ’s Robin Sidel. As big players move to speed support for chip-enabled card technology, some peers could be pressured to do the same. The widely cited deadline for implementation of the EMV standard—short for Europay, MasterCard and Visa– is October 2015, at which point liability for fraud will shift to whichever party has the lesser technology. That means a merchant with traditional magnetic stripe card readers could be held liable if a customer is using a chip-enabled card. “Home Depot is making a very prudent move,” said Andras Cser, an analyst with Forrester Research Inc. Still, companies typically roll out EMV “either if they have been burnt by a breach or if they have had an audit finding” that indicates they are no longer PCI compliant, he said. “It’s only very rarely that retailers do this out of precaution.” As CIO Journal has noted, some retailers haven’t been able to justify making the switch to new card readers because the return on investment isn’t clear. In some cases, the cost of replacing existing systems is greater than the liability for fraud. On the issuers’ side, there is also the matter of getting chip-enabled cards into the hands of customers. Americans carry fewer than 50 million chip cards, the WSJ noted last month. But those who haven’t gotten a jump start on the transition may already be falling behind. The process of updating and certifying back-end systems to accept the new cards, as well as the time it takes for issuers to get chip-enabled cards to customers, could take a year or more. In March, Lee Jurgens, chairman of the board for payments trade group Merchant Advisory Group, said “it’s going to be an unbelievable race for merchants to get this done by October 2015.” Many countries already use EMV technology, but adoption is slower in the United States. “The number and frequency of the breaches and the fact that big guys are going to push this out will accelerate the overall market,” says Stuart Taylor, VP of payment solutions at Equinox Payments, which sells payments systems. The breaches may also be leading potential customers to shore up more funds for EMV rollout than they previously would have. Rolling out EMV technology in brick-and-mortar stores is a step in the right direction, but it won’t solve the entire security problem. While it can significantly reduce fraud, it doesn’t yet take into account online transactions, and may not help companies identify larger threats to their point-of-sale systems. “If the security budget they need to spend to prevent someone overtaking POS is spent on chip and PIN, we still have a problem,” said Peter Firstbrook, an analyst at Gartner Inc. Still, a proactive move to adopt more secure technology can help to rebuild consumer trust in a brand that’s been hit by a potential breach. “I’m not sure we understand completely the dollar value of the fraud, but the consumer confidence and brand damage are big,” Mr. Taylor said.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Security Breaches Trigger Retail’s Big Players to Call for Major Tech Changes Audrey McNeil (Sep 16)