Can Data Security Evolve As Fast As Cybercriminals?

First it was Target and the world was shocked at how easy it was for a massive number of cards to be stolen.  Then there was Michaels, P.F Chang’s, Home Depot and Staples (among many others) and 2014 is the year of the data breach, and no one is surprised to see their card get stolen from a POS and shared on the internet.

“It’s easy for hackers to get access to consumer credit card information – they are all trying to plug those holes but there are antiquated systems with open ports and can download clear text consumer information,” Tokenex founder Alex Pezold told PYMNTS Retail Reinvention week’s panel on DATA Security.  Pezold was joined by Shopkeep co-CEO Norm Merritt and Brighterion’s Dr. Thomas Rand-Nash.

The fear of antiquated technology was a common theme on the panel.

“The mentality has been not to mess with it if it’s not broken.  But now it’s broken,” Dr. Rand-Nash observed.

Yet fixing what is broken is often easier said than done.  EMV is an example the panel alluded to.  EMV could help with card present fraud, but the panelists pointed out that this will only give cybercriminals a reason to take their act on the road, so to speak, and move on to the world of card-not-present fraud as that will present the easier target.  Moreover, Pezold noted, while EMV adds one more reason for merchants to “bite the bullet and make upgrades to their security systems,” those upgrades are not cheap, and must might not pencil out as worth it for small retailers, even with the liability shift coming in about a year.

“You don’t want to spend a million dollars to protect a penny.”

Merchants will, however, spend money to keep customers coming and, according to Merritt, that might be the inducement most need to push systems upgrades.

“Consumers are going to start asking merchants what they’re doing for security – once they start getting chip enabled cards from their credit card companies. What’s going to happen over the course of the next 12 months is that they’ll start to have to change.”

Large merchants, on the other hand, do not need to be persuaded to make the upgrades, and many have already started.  However, notes Dr. Rand-Nash, larger retailers have a different problem—in some sense it does not matter how good their internal security is, as they are only really as secure as the (often large) supply chains allow.

“They’re only as good as the weakest link in their supply chain – they’re spending money on hi-tech solutions but ultimately it comes down to the fact that consumer info was stolen somewhere else.

The situation can look grim, bordering on hopeless.  Criminals are infinitely motivated to break in to sales systems to steal card data, which is relatively easy because most merchants are using POS systems that have were designed before the era of Eastern European Cyber-Kleptocrats, which means they are woefully inadequate at locking them out.  Security upgrades for small merchants may be too expensive, which means that large merchant’s security upgrades can be nullified so long as a criminal can use a smaller supplier as a backdoor into a larger partner’s system.

The panelists agreed that the situation is serious,  but no one thought that it is hopeless.  Criminals are getting better and smarter they noted, but then so is the technology to fight them.

“Brighterion catches fraud when it happens and these large scale cases makes it look like all fraud is getting through – which isn’t the case,” Dr. Rand-Nash noted. “With the forthcoming emergence of EMV and Apple Pay – the level of security will go up a great deal.”

The launch of Apple Pay last week (Oct, 20) heralds what Pezold considers two  favorable evolutions on the timeline of data security.  The first is simply, customer interest.

“Customers are starting to ask if tokenization is right,” Pezold noted.

That doesn’t mean that customer want to understand all of the ins-and-out of how a token functions, or how it attaches to their mobile device.

“Consumers don’t get into that level of detail – they want to know is it convenient and then is it secure?

Which leads to the second favorable outgrowth of last week’s Apple Pay launch—the idea of a unified token system

“Apple Pay will lay the ground work in this space and will move in the direction of standardization.”

With that groundwork comes customer comfort, which according to Pezold is reall the key to making this work. Frightened consumers don’t want to shop and they surely do not want to adopt exotic payments systems.  Mobile payments, in the era of the data breach, just seem intuitively frightening – and Apple (with its extreme focus on security) can help move customers to viewing the mobile payments as not just as secure, but more secure than the payments alternatives they have.

“Apple pay has done something to move towards digital adoption like no one else, he told his fellow panelists.”They’ve done a great job in addressing the issue in common speak and has gone a long way to reduce fear in adopting a digital wallet.”

Moving customer opinions is a large part of the equation, the Merritt also noted that shifting retailer views are also playing in to developing a better secured future.  Small retailers are realizing they don’t also need to be security experts and are working with outside contractors, like Shopkeep that specialize in bringing data security into the 21st century.

Merritt also noted that they are expanding their views as to what needs to be secured—it’s not only data stored, but also data that is in transit.

“There’s a hacker for everything. At the end of the day merchants should be securing everything, including finding a good solution for card not present.

Data security has not magic bullet, on that the panel was certain.  What data security has is everyone’s attention and interest—which really may be the best medicine.  The cybercriminal community thrives on snatching data from places where no one is looking.  The goal of the technology, retail and consumer community is to create fewer and fewer places that are not being watched.