Breaches at Points of Sale

“Just because you’re paranoid doesn’t mean everyone isn’t out to get you.” It’s sad when pop-culture wisdom applies equally well to payment-systems security.

The question is no longer: “Will your customer data be breached?” The question is, “How will your customer data be breached?” That is the voice of pragmatism, not paranoia, speaking.

It doesn’t take a rocket scientist, or even a computer hacker, to access customers’ accounts, often at the point of sale. For instance, a teenager working in a video store learns quickly that customer accounts can be viewed just by typing in the phone number. Dishonest restaurant servers carry “skimmers,” handheld devices that capture credit-card information in the flash of a swipe.

Although everyone agrees that security is a huge concern, opinions vary on where the biggest vulnerabilities lie. While many view the Internet as the most fertile ground for criminal activity, others see an equal or even greater risk in bricks-and-mortar retailing.

Donovan Neale-May, executive director of the Chief Marketing Officer (CMO) Council, said a recent study of 2,200 consumers conducted by his organization revealed “bricks-and-mortar retail is among the least trusted of all entities. In fact, bricks-and-mortar retailers ranked below Internet retailers.”

The study, “Secure the Trust of Your Brand,” surveyed executives as well as consumers. Of the 250 marketing executives queried, only 29% said their company had a specific crisis-containment plan in the case of a security breach, although an additional 17.7% indicated such a plan was being developed.

In light of the rising incidence of compromised consumer data, and the ensuing brand erosion that such breaches produce, it was surprising that more executives were not poised to address the fallout. The CMO Council survey also revealed that 25% of consumers would take their business elsewhere if a company compromised personal data.

Emerging trends: Regardless of where or how a breach occurs, the responsibility for protecting transactions and customer data should be shared by the retailer, financial institutions, credit-card issuers and consumers.

Jack McCoy, VP of security for Discover Financial Services, Riverwoods, Ill., suggested a number of emerging practices and technologies to make retail transactions more secure.

“We’re working on a technology where the card-verification value is randomly changed so that it becomes unique to each transaction,” he said. Discover is testing that process with at least one retail customer.

For online transactions, Discover facilitates an individualized account between the retailer and consumer that seamlessly transfers charges to the consumer’s Discover account. For instance, Nordstrom shoppers can create a unique account and when they charge purchases to that account, it appears on their Discover bill. “If a hacker were to access the Nordstrom account number, there would be no way he could use it to make any purchases through this account or with the customer’s Discover card,” noted McCoy. The added layer of security is worth the few minutes a consumer spends establishing the account.

McCoy also suggested that bricks-and-mortar retailers should employ an address-verification system (AVS) as additional criteria for acceptance of debit- or credit-card transactions. The AVS can be as simple as having shoppers input a ZIP code at the point of sale each time the card is used.

Another area of in-store vulnerability that retailers sometimes overlook is the ease with which their databases might be breached via wireless technologies operating within stores.

“In stores where wireless handhelds are used, retailers have to be certain the systems have adequate firewalls,” advised McCoy. “Additionally, many of the smaller retail chains don’t know what is stored, or if customer information is stored in an unencrypted fashion. All of the software being used should comply with Payment Card Industry standards.”

Loyalty cards that are tied to any of the consumer’s personal data such as address, date of birth or credit-card numbers also present a potential point of vulnerability and all of this data should be encrypted as well.