Data Breaches and eCommerce: Is There Promise in New Prevention Options?

Click here to download this article as a PDF.

Introduction

 

Despite the recent economic crisis, lagging unemployment and lingering consumer doubts about the economy, one bright spot has persisted in the retail landscape: eCommerce has continued to grow as a major force in global retail. Online retail sales are expected to reach nearly $250 billion by 2014, with annual growth rates of 10 percent, despite the lagging economy. [1] Javelin Research predicts growth for eCommerce in 2010 to be 13 percent, again, despite the challenging economy. [2] This compares with slower overall retail growth rates of 2.5 percent or less. [3]

As a result, eCommerce sales are expected to account for 8 percent of total U.S. retail sales by 2014. [4] In certain industries, including consumer electronics, books and office supplies, online sales account for 25 percent to 50 percent of total sales. [5]

eCommerce growth comes with downsides as well. Perhaps the most noteworthy area of concern is the growth in online security breaches, fraud and other forms of electronic malfeasance. Direct eCommerce fraud rates have decreased significantly over the last several years, in part due to major investments in security and fraud prevention.

However, fraud still costs eCommerce merchants billions in losses. Loss estimates vary, but conservative estimates puts eCommerce fraud losses at $3 billion. [6] Most of these losses have their origin in compromised card data, either through data breaches (online and offline) or other forms of cardholder data theft.

In spite of online security investments, eCommerce merchants remain vulnerable to fraud committed using stolen information compromised in data breaches, highlighting a unique challenge to tighten security both in the physical and electronic environments. This becomes even more important given the nascent mobile commerce industry, which introduces additional security challenges. Some analysts fear that total fraud losses across channels – card-not-present (CNP) and card present – could exceed the current level estimated to be as high as $100 billion. [7]   

These security problems come with significant hard dollar costs, as well as harder-to-quantify costs to consumer confidence and brand reputation. This article will discuss existing data breach problems and financial implications of recent data breaches, as well as some solutions to these security and data breach situations. Many potential solutions are being proposed by both security players and traditional payment players. This piece will focus on a handful of solutions that aim to address a broad range of security problems with minimal cost to players in the payments ecosystem.

The Problem

 

Despite an intensive industry effort to raise awareness of need for data security and millions of dollars of investment in data breach prevention, the data breach problem is extensive. According to the 2010 Data Breach Investigations Report, 222 million records were compromised in 2009, with over 70 percent of these breaches the result of external attacks. [8] In 2009, these breaches resulted in more than 70 million payment cards being replaced and more than 26 percent of all consumers being notified of the breaches. [9] More than 85 percent of these attacks were attributed to organized crime. [10] The good news is that the incidence of these attacks has actually gone down from 285 million compromised records in 2008. [11] Figure 1 breaks down the methods used in these attacks.


All of these external attacks use electronic methods to compromise electronic data wherever it exists. This makes data vulnerable regardless of its state:

– data in transit

 

– data at rest

 

– data at work

 

Since the dawn of eCommerce, much attention has been given to vulnerabilities associated with the payment transaction itself. However, when data is in transit over the Internet, research suggests recent breaches and vulnerabilities highlight flaws in security related to data at rest (stored data), as well as data used for non-financial transactions. This includes data used for marketing, fulfillment, sales and support, analytics and reporting, which should make data security an enterprise activity.

Data Vulnerabilities

 

Clearly, data vulnerabilities affect all parts of an enterprise that captures and stores personally identifiable, sensitive information about their customers, vendors or partners. Figure 2 shows a representative view of areas in which a corporation may have data vulnerabilities.


Many companies, particularly eCommerce companies, leverage payment information as a convenient customer ID used for marketing, customer service and operations/order management. This practice leaves those enterprises vulnerable to data attacks, not only on data in transit, but also data at rest or at work.

The Impact

 

The costs of data breaches have been studied for years, but many of the latest studies now identify a more holistic set of costs. These costs include:

– liabilities for actual losses

 

– card reissuance costs

 

– lost business at compromised merchants

 

– lower card usage by affected consumers

 

– reputation costs

 

Every part of the value chain is affected, and most experts believe the cost of these breaches is rising, even as the incidence of data compromise declines. The Ponemon Institute estimates that the cost of a breach ranges from $750,000 to $32 million, depending on the size of the breach and the nature of required remediation. [12] In 2009, card reissuance costs alone were estimated at $250 million, and the estimate of lost merchant business was put at $128 per compromised record. [13] These costs combined with remediation and security investment costs drive a total estimated cost of $204 per compromised record. [14] This puts the total cost of 2009 data breaches at $44.9 billion, dwarfing the hard dollar fraud losses. While estimates of the actual losses vary, all experts agree that the direct fraud losses alone are significant, particularly in the CNP environment. When chargeback fees and other fees are added in, the costs are material.

Perhaps even more important to the payments industry than these hard dollar losses is the overall effect these breaches have on consumer confidence. Following a card data breach, around 40 percent of affected consumers decrease card usage across the board. [15] In addition, many consumers (over 10 percent) affected by data breaches also report identity theft, creating additional losses in confidence. The scope of these losses makes it clear that this issue is of critical importance, not only to the payments industry, but to the merchants as well. Even for smaller merchants, the costs in hard-dollar remediation, combined with lost sales, represent a material impact.

The eCommerce Connection

 

Not all data security breaches, or even the largest ones, focus on Internet merchants. High-profile breaches at Hannaford, DSW and T.J. Maxx demonstrate that the most vulnerable payment data bases relate to large physical world merchants. That said, even though the Internet industry and eCommerce merchants have been extremely focused on online security, they remain at the center of discussions about payment security and fraud. Some of this concern is probably unwarranted. However, several legitimate reasons for this level of focus exist:

Internet is the No. 1 test site for stolen card information: Forty-two percent of stolen identity information, regardless of the breach source, is used online. [16] The non-face-to-face nature of eCommerce, combined with speed and remote accessibility, make the Internet an ideal way to test stolen card information without detection. 

Internet breaches do occur: Although less common than attacks on physical world retailers or health care providers, some personally identifiable data does get compromised through direct attacks on Internet sites. Recent cases included sites as diverse as Gawker, ECS Learning, the Loft and Comedy Club and Cisco Live 2010. None of these incidents involved huge exposure of financial information. Yet in each case, some personally identifiable information, including credit card numbers, was exposed through hacking attacks, and in one case, a Google search. [17]

Internet relay channel: The Internet is a leading channel for criminal activity. Since the outset of eCommerce, the Internet has attracted a range of criminal activity. Today, organized crime syndicates have invested heavily in Internet capabilities as the platforms for a significant criminal activity. The Internet has a range of benefits for criminal enterprises due to cross-border legal status, anonymity and ability to rapidly mass-produce effective criminal activity.

Social networks and social engineering: The proliferation of networked Internet properties makes the syndication of criminal social engineering attacks even more powerful. Once e-mail was the target venue for online financial scams, like the Nigerian money laundering scam. Now, Facebook, LinkedIn and even online dating sites make it easy for criminals to gain a host of identity and payment data through online networks.

The unique characteristics of the online environment have many attractions for criminals and are an easy “test bed” for criminal schemes, making it important that Internet players think deeply about data security and fraud prevention. Many eCommerce merchants, notably players like Amazon and eBay, consider fraud, risk management and data security to be core competencies and where they are positioned to play a leadership role. As such, some of these players rightfully resist the more “brute-force” payment security mandates that have come from traditional payment players like Visa and MasterCard. These sophisticated eCommerce merchants resist these products, like Verified by Visa and MasterCard SecureCode, as disruptive and ineffective at preventing true fraud.

 

Potential Solutions

 

Due to a range of data breaches in the mid 2000s, including the aforementioned attacks at T.J. Maxx, DSW and others, the U.S. financial services industry focused

most data security efforts on supporting a huge push by the card networks – Visa and MasterCard – to get commitment to PCI compliance. However, following the massive data breach experienced by Heartland Payments back in 2008, it became clear to many that PCI efforts alone were not enough to prevent costly security breaches. Nearly 20 percent of recent breaches, including some of the largest, took place against PCI compliant entities. [18] Deeper investigation continues to suggest that the PCI compliance recommendations are the critical first line of defense in preventing attacks, but it is clear that other safeguards and measures are needed.

There are a wide range of solutions currently on offer to address these challenges at a range of price points, running the gamut of prevention, detection and remediation. Many of these solutions, particularly the detection and remediation options, have been broadly implemented and well-analyzed over the last several years. Much new activity is focused on prevention. Thus, it is critical to discuss several specific solutions that have emerged. Consequently, this piece will focus on three prevention solutions that have received broad interest from across the payments industry – encryption, tokenization and EMV/chip & PIN.  Figure 3 highlights the landscape of data breach solutions.

 

Encryption: Although encryption solutions have been available for decades, the costs and implementation complexities historically have kept encryption solutions out of reach of all but the largest merchants. However, as firms start to understand the true cost of security vulnerabilities, some merchants have begun to implement end-to-end encryption capabilities throughout their retail environment. This includes the physical POS, through the store back office and back to the retailer’s host computers. Security players, including RSA and Voltage, recently have teamed up with payments processors, like First Data, Heartland and Elavon, to make end-to-end encryption accessible even to smaller merchants.

Although these merchant encryption solutions vary, they each help avoid some of the data breach problems experienced in high-profile data breach cases, eliminating the ability to intercept card data in transit and also protecting card data at rest. Particularly for physical POS retailers, this eliminates major data vulnerabilities. Since eCommerce merchants have been using SSL encryption for years now, this added layer of security may not be as pivotal to them.

The economic value proposition of these encryption solutions is less clear, particularly for smaller merchants. Deployment of these solutions adds to payment transaction costs, and in some cases, increases capital investments. The Voltage solution, for example, requires new POS terminals and a significant capital outlay. While the ROI for this investment can be made, it is a difficult case to make to a cash-strapped small business person who is trading off the hard dollar costs of an encryption solution with the uncertainty of the potential costs of a future security breach. Encryption solution vendors are selling “vitamins” that prevent problems in the future to small businesses that are focused only on the “headaches” they face today.

Tokenization: Tokenization solutions reduce the security challenges of dealing with card data by replacing sensitive card information with a token value that can be used by the merchant for receiving payment but cannot be used by anyone else for fraudulent purchases. Essentially, the token takes card data out of the merchant environment, eliminating the need for merchants to store that sensitive data, potentially also reducing downstream costs of securing that data.

 

A range of players, including Chase Paymentech, First Data/RSA and Voltage/Heartland, have designed solutions to be accessible and economic for relatively small merchants. One of the most powerful attributes of tokenization is that it effectively eliminates the need for merchants to focus on card security in its operations, from payment authorization and settlement , through fulfillment and customer service (see Figure 2). As a result, data are protected in all states – in transit, at rest and at work. 

The challenges and costs of tokenization are in the implementation details. Solutions that work within existing processes and are minimally invasive to the customer transaction are the ones with the greatest likelihood of adoption, since implementation costs and the risks of a suboptimal customer experience are not risks most merchants will take.

EMV/chip & PIN: Despite years of advocacy from security and payments organizations, chip & PIN (EMV Protocol) technology never took off in the United States. Most pundits believe that low fraud and high electronic authorization rates limit the need for this technology in the United States. Yet in 2010, key players began to reconsider EMV/chip & PIN as a prevention measure for the United States. The EMV/chip & PIN protocol in place in Europe, Canada and elsewhere is designed to minimize the vulnerabilities of magnetic stripe cards, which can be easily reproduced. Magnetic stripe cards can been recreated through magnetic stripes that use legitimate cardholder data “skimmed” from legitimate magnetic stripe cards or from cardholder data accessed through a data breach. In theory, chip & PIN card technology should reduce the incidence of card data theft, since it is harder to create counterfeit cards.

Nevertheless, there are many practical challenges to this solution, even before the intensive costs for new terminals, card issuance, etc. The biggest challenge to this solution is that it does not reduce the incentive to steal cardholder data, since card numbers can still be used without PINs in eCommerce environments. It merely changes the method of fraud, shifting from POS card skimming to remote database hacking. In fact, chip & PIN might increase the incentives for criminals to attack card databases.

Even the theoretical security benefits of chip & PIN have proven vulnerable to simple attacks. A recent University of Cambridge paper highlights problems with chip & PIN, including a material increase in CNP fraud following EMV implementation. [19] Since most CNP fraud costs are borne by merchants, banks did not have a direct stake in the fraud losses in CNP channels. In addition, the paper highlights a simple failure in the EMV protocol itself that made it possible for Cambridge researchers to “trick” a chip & PIN terminal into accepting cards without valid PINs using a £20 device. [20]

So, while research shows that chip & PIN did appear to lower fraud from lost and stolen cards, it did not appear to dampen counterfeit cards fraud. It also seems to have inadvertently contributed to a rise in CNP fraud. Thus, while some pundits have suggested that chip & PIN might be an important fraud prevention option in a post-Dodd-Frank Act world, it is not clear that this solution addresses the primary risks in the U.S. card payment system, and in fact, might exacerbate the risks.

 

Ignition of Potential Solutions

 

Since most agree that PCI compliance is the baseline for data security, the fact that many merchants have not already taken these basic steps is a serious challenge for those wishing to get merchants to implement still other solutions. Thus, for these new prevention solutions to gain critical mass and achieve ignition, several key factors must be considered:

Pricing: Pricing to achieve critical mass is a challenge for any new payment solution. It is particularly challenging for security and fraud prevention solutions, since the prevention costs may seem relatively high. The incidences of losses/security breaches, while costly and noticeable, are not high frequency events. Therefore, fraud and security may not hit the “radar screen” of acute problems for most small business owners. As a result, these solutions face a number of classic problems, including free rider problems, issues of moral hazard and other challenges of risk/reward asymmetry. The key to ignition is pricing that encourages the maximum number of players to adopt the solution, thereby spreading costs and benefits. In addition, bundling these solutions with other more pressing, value-added features may create a more compelling adoption picture for merchants.

 

Distribution: Rapid adoption and usage of new solutions is critical to achieving ignition. Thus, solution providers should consider broad distribution strategies prior to launch. Solutions that are available on a limited basis to only a subset of customers or through a subset of sales channels will struggle to gain momentum versus solutions that are available ubiquitously.

 

 

Implementation: Regardless of pricing or service availability, if implementation is hard, even the most eager potential clients may fail to implement and use the service. Ease of implementation should address technical integration, business process flow and even human resource concerns (e.g. how a POS sales clerk learns about new processes or terminals).

Role of standards/mandates: Industry standards or mandates can provide a reason for key players to “take their medicine” and adopt new solutions even when they come with added cost. Knowing that the required security steps are added on a level playing field and don’t put any specific business at a cost disadvantage can be a big help in gaining critical mass. In the case of PCI, industry mandates and standards were critical to implementing the security guidelines that are now in place. Even though this doesn’t mean that every merchant has implemented the guidelines, the industry overall has become a lot safer, and many PCI solution providers have benefited from an expanded security industry.

 

Conclusion

 

Data security is one of the most critical issues facing the payments industry today, cutting significantly into the profits of merchants and financial institutions at a time when economic recovery is tenuous and regulatory activism further threatens profits. However, it is precisely due to these larger macro-economic issues – regulation and sluggish economic recovery – that data security will struggle for attention among even the most proactive banks and merchants. Solution providers are challenged to rise above typical debates about functionality and find ways to promote investment in security solutions as mission critical for the payments industry. By developing appropriate pricing incentives for easily implemented solutions, perhaps they can overcome the timeless difficulties of “selling vitamins instead of aspirin.”

Click here to download this article as a PDF.

Endnotes

[1] Forrester Research, March 2010.

[2] Javelin Strategy & Research, “Online Retail Payments Forecast 2010 – 2014,” February 2010.
 
[3] National Retail Federation estimates, 2010.
 
[4] Forrester Research, March 2010.
 
[5] Ibid.
 
[6] The Green Sheet, “The Worldwide Fraud Web Exposed” April, 22, 2010. www.directresponseform.org [7] 2009 LexisNexis True Cost of Fraud Study. Cited in the article, “Fighting Fraud with Chase Paymentech,” at the Direct Response Forum, and posted on www.directresponseform.org  – These estimates include the fees associated with chargebacks.

[8] 2010 Data Breach Investigations Report, Verizon Business Risk Team.

[9] Ibid.

[10] Ibid.

[11] 2009 Data Breach Investigations Report, Verizon Business Risk Team.

[12] Ponemon Institute Survey, January 2010.

[13] Ibid.

[14] Ibid.

[15] Ibid.

[16] 2010 Data Breach Investigations Report, Verizon Business Risk Team.

[17] Privacy Rights Clearinghouse, Chronology of Data Breaches website  (www.privacyrights.org/data-breach) – current as of 12/30/2010

[18] 2009 Data Breach Investigations Report, Verizon Business Risk Team

[19] “Chip and PIN is Broken,” 2010 IEEE Symposium on Security and Privacy. S. Murdoch, S. Drimer, R. Anderson, M.
Bond, University of Cambridge, pp. 433 – 443.

[20] “Cambridge Researchers Under Fire,” Top Tech Reviews website. www.toptechnews.net, 2010