Macy’s breach forces same reckoning as Target hack

Register now

The online data breach Macy’s disclosed this week is reminiscent of Target's massive point-of-sale breach from 2013. And it raises the same question in its aftermath: Could it have been thwarted by a new security technology championed by the card brands?

Much as the Target breach forced many retailers to address the need for EMV chip-card security, the Macy's breach spotlights the use case for Secure Remote Commerce (SRC), which the card networks released in October as "click to pay."

SRC adds protections which, experts say, could blunt the effect of the card-skimming "Magecart" attack that affected Macy's.

Macy’s this month began notifying consumers that hackers injected the card-skimming script into parts of the checkout and wallet pages of the retailer’s website, exposing customer data including names, physical and email addresses and payment card details including card security codes and expiration dates. The breach lasted about a week; the New York-based retailer learned of the attack Oct. 15 and removed it the same day.

Experts say SRC could likely have protected against such malicious code. SRC asks consumers to enroll through a bank app or website. Thereafter, if a consumer wants to use SRC to pay on a new device, they go through an email authentication process and can choose to trust that device for future payments. It can then function as a guest checkout, providing an alternative to retyping their payment and shipping information to create a new account with each merchant.

“SRC would have prevented the breach for those cards that travel the SRC path, since the card data would have been entered on a site that was not affected by the Magecart script,” said Julie Conroy, research director at Aite Group.

But SRC is not a complete bulwark against Magecart and similar malware invading a retailer’s payment processes. Not only must the retailer offer SRC on its checkout page, but consumers must specifically invoke it for each transaction. SRC's protections would not apply to any cards that bypass it, Conroy added.

It's a situation much like the EMV migration — even if a merchant accepts EMV payments, the issuer and consumer must use an EMV card to invoke its security.

Though merchants have largely moved to protect payment card data with tokenization and encryption to render payment card useless to attackers, Macy’s web pages were infected with the web equivalent of a card-skimming device, according to Conroy.

“Attackers found a back-end vulnerability which enabled them to inject the malware into the website, so the best preventative measure in this case is staying current with software updates and patches,” Conroy said, but she added it’s still no guarantee that hackers won’t find those vulnerabilities first.

Visa, Mastercard, American Express and Discover last month joined together in a rare collaboration to launch the SRC-based click to pay checkout option for merchants to add to e-commerce sites for a more secure, streamlined checkout approach.

A handful of e-commerce sites, including Cinemark, Movember and Rakuten added click to pay their sites last month, and Saks Fifth Avenue, Papa John's, BassPro and JoAnn Fabric and Crafts are among others expected to add it in the coming weeks.

Though SRC can't protect merchants from targeted attacks, SRC still adds a key buffer for merchants by ensuring that once an online order is confirmed, no customer-specific data is communicated to the merchant via the website, said Tim Sloane, director of payment innovation at Mercator Advisory Group.

“While not impregnable, this approach takes the payment information off the web and shopping carts where it’s so easily attacked. Of course, SRC is a big change for merchants and will take time and effort to deploy, which may inhibit adoption,” Sloane said.

Recent consumer research suggests it will be a struggle to persuade consumers to jump through more security hoops at the checkout, as their expectations of seamless commerce steadily rise.

More than half of consumers said they believe the responsibility for avoiding fraud lies with the companies that have access to their data, with only 33% agreeing that fraud avoidance is their personal responsibility, according to a new study by Ekata conducted among 7,000 adults in North America and Europe.

Seventy percent of those surveyed said account creation should be instantaneous and 66% said they've abandoned an online purchase when they encountered friction at the checkout point, the survey said. Ekata surveyed consumers online between March and May 2019 in conjunction with market research firm Vanson Bourne.

For reprint and licensing requests for this article, click here.
Data security Cyber security Personally identifiable information Malware Retailers Network rules