Data breaches have hit many retailers hard over the past year or so, and Stage Stores is doing everything it can to make sure customer payment data can't be exposed.
Stage Stores, a Houston-based chain of about 900 retail locations that includes Bealls, Palais Royal, Peebles, Goody's, just finished a project in which it migrated about 5,000 point of sale terminals to a system that encrypts transaction data at the PIN pad instead of the register. It even requires the use of a traditional PIN pad for sales initiated on a tablet-based point of sale.
"Using the PIN pad triggers the encryption, so we do it before the transaction there is really no path or point in which the customer information is not encrypted," said Steven Hunter, executive vice president and chief information officer at Stage Stores. "We've been very concerned about what's happening to customer data, and what's been going on in the past year has encouraged us to speed up our approach."
The chain is using Chase's Safetech encryption powered by Ingenico's On-Guard security technology. The retailer used a remote key injection system, which allowed the encryption to be deployed without removing the point of sale devices from service. Stage also encrypts customer date for e-commerce purchases using security technology from Chase Paymentech and Oracle. Stage does not use tokenization or accept contactless payments, but both are in process of being implemented, Hunter said.
"Retailers are under a significant amount of pressure," said Julie Conroy, a research director at Aite Group, who said she's spoken with a number of retailers that are deploying encryption and tokenization because of a top-down mandate from their CEO to "make sure we're not the next Target or Home Depot in the headlines."
Hackers have hit many large retailers over the past year and a half. One of the most notorious was the Target breach, which occurred over the holiday shopping season in 2013. Other retailers that disclosed breaches include Michaels, Neiman Marcus, Home Depot and Chick-fil-A.
While each breach had its own cause, in many cases the PIN pad is infected by malware or outright replaced by a model that a fraudster has modified. In light of this, P.F. Chang's briefly switched to old-fashioned knuckle busters to accept card payments to avoid further exposure after it was breached.
In many breaches, "crooks were able to take the information as it was being transferred from the PIN pad to the register, which is why we are looking to seal that transfer point," Hunter said.
Stage also expects to be able to accept EMV-chip card payments by the card networks' October 2015 deadline, though protecting magnetic-stripe card payments will remain a priority.
"Our issue with chip and PIN is not bank-related or related to the migration, but it's more that most of our stores are in secondary markets or in small towns that have smaller banks that are migrating to EMV slower," Hunter said. "I don't think chip and PIN will be prevalent in those markets until 2016 or 2017."
The EMV migration also gives merchants a chance to examine other security threats and preventative measures, Conroy said.
"Merchants have their hoods up on their point of sale systems right now for the EMV upgrade anyway, so while they're at it, many large merchants that I'm talking to are taking advantage of that to make other significant upgrades," she said. "They recognize that given the escalating threat environment, it's probably not 'if' they will be breached, but 'when,' so they're taking appropriate steps to devalue the underlying data."