How retailers can protect against security breaches

May 12, 2015
Taking simple precautions and using advanced POS systems can provide a solid defense

When you swipe your card to pay at a store, how safe is your data? According to Symantec, the security of your data varies greatly depending on the sophistication of the payments system of the retailer you’re visiting. Outdated point of sale systems are notoriously insecure and, according to Symantec, are particularly vulnerable due to a lack of encryption and reliance on outdated software.

Symantec recently released its annual Security Threat Report, which unveiled shocking statistics about the state of security in retail. The report revealed that 11 percent of all security breaches happened in retail; the only field harder hit by security breaches was the health care industry. Even more unnerving, the percentage of breaches in which sensitive financial information was exposed doubled to 36 percent, and the retail sector was responsible for 59 percent of all identities exposed in 2014. Any retailer who’s been hit with a security breach knows that it’s not only financially costly, but it also negatively harms a merchant’s reputation among consumers—and that can have repercussions for years, as both Target and Home Depot have experienced.

These statistics are, simply put, unsettling at best and terrifying at worst. When merchants hear of this data, it’s no surprise that they’re wondering what they can do to make their point of sale systems more secure and hacker-proof. With consumers increasingly expecting retailers to accept different payment options while ensuring all of their data is secure, how can a retailer balance the need for security with providing world class customer service?

In addition to updating to an advanced payments system, there are tangible steps that merchants can take to ensure the highest levels of security to protect their patrons’ privacy.  

  • Don’t store credit card information in the front-end of your point of sale system. So long as a credit card system is in place, thieves will attempt to hack it. Storing credit card data in the front-end of your system leaves cardholders’ data vulnerable to being hacked. 
  • Do not store credit card information in the cloud. Data in the cloud is also susceptible to hackers. Moreover, while many payments systems communicate between the point of sale and the cloud, find a provider that uses security certificates.
  • Make sure that credit card information goes directly from the card swipe into the payment processor. How do you implement steps one and two above? By keeping your POS out of reach altogether. A P2PE-certified device prevents attacks by sending encrypted card data directly from the card swipe into the payment processor. None of the customer’s information even touches the point of sale or the cloud.
  • If you have to store credit card information, tokenize it. Tokenization creates a unique encrypted token the first time a credit card is swiped. The next time the customer comes in and makes a purchase, the token will be charged rather than the credit card, precluding the need to re-swipe or send it to the processor.
  • Use POS security features that help you identify theft. Many point of sale security features are widely unused by smaller merchants, who could ultimately save millions of dollars by investing in fraud mitigation technology. Look for solutions that mitigate risk by tracking the sales personnel who login to process transactions via video and passwords.

In its Threat Report, Symantec also highlighted the important role that federal standards play in protecting consumers’ data. The Europay, Mastercard and Visa (EMV) standard is accelerating globally, with 70 percent of terminals deployed outside of the US using the EMV standard, but this has been slower to catch on here at home. The EMV standard reduces fraud through chip-enabled cards and a chip-enabled terminals, which are far less vulnerable to hacks than the traditional magnetic strip cards. The chip-enabled standard is significantly more secure, and retailers who don’t adopt this standard are putting themselves and their shoppers at risk.

In addition to making transactions safer for consumers, EMV also shifts the liability to merchants and issuers for fraudulent transactions. For example, retailers using non-EMV compliant devices assume all liability for any transactions that are found to be fraudulent. This could be hugely expensive for retailers’ bottom lines and reputations should they not adopt EMV-compliant solutions soon. Retailers should start making the shift to EMV well in advance of the October deadline to avoid a fire drill.

By choosing an advanced payments system that has stringent security standards in place and adopting EMV standards, retailers can ensure the highest levels of security for their consumers’ data and success in their businesses moving forward.

About the Author: Chris Ciabarra is co-founder and CTO of Revel Systems.