Why merchants keep failing to protect card data

Register now

Merchants would seem to have the most sophisticated tools ever to protect card data — tokenization, biometrics, machine learning, even EMV — but they still leave the door open to fraud at an alarming rate.

Are the incentives for protecting card data so lopsided that merchants feel little need to do more? Or is it wrong to ask merchants to fix the faults in a payment card ecosystem they had little hand in creating?

Every time a major breach happens — including major incidents at Target, Home Depot and TJ Maxx — the immediate reaction is always to declare them as cautionary tales of the kind of negative publicity that no company wants to attract. But these companies never go out of business or get blacklisted from the major card networks (even if a few executives are sacrificed in the aftermath). Maybe they pay fines, but never enough to threaten their livelihood.

This week, the big breaches came from Saks, Lord & Taylor and Panera Bread. Details are scant about what caused the exposure of at least 5 million consumers’ card information at retailers Saks and Lord & Taylor; their parent company, Hudson’s Bay Co., hinted that the breach originated at store cash registers, because online and digital platforms weren't affected.

Separately, Panera Bread exposed millions of customers’ records including names, emails, addresses, birthdays and the last four digits of their Social Security numbers, according to security expert Brian Krebs. Panera on Monday told Fox News the issue has been resolved and fewer than 10,000 customers were affected, and Krebs took to Twitter to challenge the sincerity of this statement.

Even as merchants get raked over the coals for every new incident, there is little chance that they can solve the problem any time soon, said Shirley Inscoe, a senior analyst with Aite Group.

“The data criminals obtain is so valuable and criminal rings can sell it on the dark web for many kinds of fraud—payment fraud, account takeover fraud, application fraud, the list goes on and on. All a hacker needs is one gap in security that he can exploit, and as hard as companies try, it is difficult to shore up every potential gap,” Inscoe said.

Merchants are also frustrated by the piling on of requirements from the payment card industry, as well as the industry's habit of blaming the victim any time a merchant suffers a breach despite having been told they were doing everything right. This is a problem that stretches back nearly a decade; when the Princeton, N.J., processor Heartland Payment Systems disclosed a breach in 2009, it did so after repeatedly passing audits for the Payment Card Industry Data Security Standard.

"The audits that are used to determine compliance are very much overvalued, and we overvalued our audits," Robert O. Carr, Heartland's chairman and chief executive at the time, said in an interview shortly after disclosing the breach.

It's much the same with the EMV chip card migration. Despite a shift in fraud liability that took effect in late 2015, just over 50% of U.S. merchants have adopted the technology, according to Mastercard. This figure was part of the justification for eliminating the requirement for signature authentication this month.

It also indicates that nearly half of merchants see EMV as unnecessary to have right now. Perhaps it's because they feel their own anti-fraud systems are sufficient, or because they are willing to accept a less secure environment. Or the merchant wanted to comply but the payments industry wasn't able to move fast enough.

A sense is growing among data-security firms that the threat to merchant card data is too broad and ubiquitous to pin all the blame on merchants.

“Credit card breaches involved a more complex equation than just lazy merchants or sneaky criminals … even well-prepared merchants can become victims,” said Tim Erlin, vice president of product management and strategy at Tripwire, a Portland, Ore.-based cybersecurity firm.

While there’s no doubt some merchants fail to implement appropriate controls or do the bare minimum to be compliant with payment card industry security standards and recommendations, that’s not the whole story, according to Erlin.

“Over the years we’ve seen myriad attacks that were simply opportunistic or were well-planned, sophisticated assaults,” he said, underscoring the limitations of most merchants’ capabilities to protect card data in the face of ongoing, aggressive criminals who continue to find a market for stolen card credentials.

Threats to data are intensifying faster than merchants can adapt to them, especially as retail environments morph to omnichannel delivery approaches, which can increase risks, said Terry Ray, chief technology officer at Imperva, a cybersecurity firm based in Redwood Shores, Calif.

Another problem is the lack of critical expertise in battling data security, he said. Ray's research suggests there's a dearth of experts globally in "data security" compared with "network security," highlighting the fact that many organizations lack resources to adequately battle the growing problem of card data security.

"If organizations know little about data security, then data will likely receive very little attention in any corporation's grand security strategy and the result is that we'll continue to see breach after breach, day after day," Ray said. "Frankly, most organizations can't tell you where all of their sensitive data is, who touches it, when they touch it, or whether they should be touching it. This is a problem."

For reprint and licensing requests for this article, click here.
Data security Network security Retailers PCI DSS