The Impact of Data Breaches on the Merchant Environment
The recent malware attacks at nationally known retailers have sent consumers scrambling to protect their credit and avoid identity theft. Merchants are taking action to keep their businesses from falling victim to hackers and wondering what the long-term consumer fallout may be. While the data breaches that occurred during the 2013 holiday season were certainly not the first or even the largest, they seem to have brought the payments industry to a tipping point. Consumers are demanding changes, and merchants are compelled to accommodate them.
Consumer response to merchant data breaches
It's too early to identify specific trends resulting from the recent incidents, however, after a decade-long trend of well-publicized hacking episodes, consumers have become knowledgeable and vigilant. They're monitoring their accounts for suspicious transactions, requesting replacement cards, changing PIN numbers and reviewing their credit reports. Many consumers are reconsidering their methods of payment and giving thought to which merchants they support.
Consumer advisors have indicated that people who paid with credit cards during the data breach may have more protection than those who used debit cards. Credit cards offer greater fraud protection because card issuers generally absorb charges made on stolen credit card numbers. Debit card users can be responsible for up to $500 in fraud losses. For this reason, merchants may notice more consumers paying with credit.
Consumer's fear of having their information stolen has caused many to decrease their use of payment cards and turn to cash as their primary payment method. For the three-month period ending Dec. 31, 2013, cash withdrawals reported by financial kiosk provider Cardtronics went up 24.5 percent from the same period in 2012.
Securing your point of sale
The recent data breaches were perpetrated using malware, which, according to news reports, was introduced through internal flaws in the retailersâ€™ point-of-sale (POS) systems. Hackers stole login credentials from an outside vendor, entered the retailers systems and installed malware designed to obtain consumer data from payment card readers and save it on an outside server. The malware seeks out POS systems using older operating software with open remote access ports and weak passwords. Once malware enters a merchants POS, it quietly goes about its task, collecting and transmitting data until the breach is revealed.
The attacks could have been prevented by proper adherence to the Payment Card Industry Data Security Standard (PCI DSS), which continues to be the gold standard for merchants in blocking card fraud. Following its 12 requirements, working with your acquiring bank and using the tools offered through the PCI Security Standards Council will help merchants protect cardholder data throughout each transaction. The ongoing process requires merchants to continuously assess their operations, fix any vulnerabilities, and make the required reports to their acquiring bank and all card brands with which they do business.
- Install and maintain a firewall configuration to protect data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data and sensitive information across open public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Visit the PCI DSS website for more informaiton.
The role of EMV® in preventing data breaches
Based on the nature of the recent attacks, EMV technology may not have prevented them from occurring. However, having EMV technology in place at the POS would make it virtually impossible for criminals to use counterfeit cards created using stolen data, a primary result of data theft.
The next big milestone in the U.S. EMV migration plan is in October 2015, when fraud liability will shift to merchants in cases where an EMV card is presented and the merchant doesn’t have an EMV-capable payment terminal. Retailers that have experienced data breaches are planning to be ahead of this deadline, and all merchants are encouraged to begin their EMV migration plans sooner than later.
Any steps you can take to tighten your perimeter will make your POS a less viable target. Hackers generally seek the path of least resistance, so it’s important to cover all your bases by following the 12 PCI DSS requirements in their entirety. Good business sense dictates that prevention is far better than dealing with the consequences of a data breach.