Why Retail POS Is Under Attack

Payments security is a problem today with many solutions – EMV, tokenization, P2P encryption, to name but a few. But while there seems to be no lack of effort and options for securing the motion of money at the point of sale, the industry seems hard pressed to stem the tide of breaches that have plagued retailers in 2014.

And that puts an undue burden on retailers of all size, says Merchant Warehouse Chief Revenue Officer, Ken Paull.  Paull recently chatted with MPD CEO Karen Webster about how this impacts retailers at just the point in time that they are being asked to deploy a variety of new solutions designed to improve the retail experience for their customers.

“There’s just so many things happening in our industry,” he told Webster.

He also has a theory about why the cyber crooks have found retail POS to be such a fertile hunting ground.

“I do think some of the timing [of these breaches] is correlated with what retailers have being doing over the years to bring a lot of the payments systems and payment in house, and onto their systems,” Paull told Webster. “I think in the last 10 to 20 years there’s been a trend towards taking enterprise payment capabilities in house, retailers bringing their own switches and concentrators in house. That allows them to really commoditize the payment processing and reduce the cost per transaction down.  Saving money has been a big driver.”

But, Paull says, that has created on gigantic unintended consequence: making the point of sale highly vulnerable and negating whatever cost savings might have been generated.

“[Retailers] could in the past really optimize their costs for payments processing, but I think in reflection we’re going to see that trend reverse because you can only afford so many of these breaches,” Paull noted.  “In house systems, particularly those tied to many separate retail locations, are prime targets and one that cybercriminals are getting extremely skilled at targeting.  In 2007 TJX dominated headlines when its POS was compromised, same with Target in 2013.

But Paull cautioned that this is a situation that lacks a convenient magic bullet. Using EMV as an example, Paul told Webster that while it’s certainly a technology to be hopeful about, it’s not something the CTOs he works with really believe is the solution to their security issues.

“The CTO is hopeful that EMV will help, but I don’t think there’s anyone out there naïve enough to believe this is going to solve all of these issues.”

And, regardless of how effective EMV is to mitigating the consequences of a breach, he says it’s not a solution that Paull believes the industry will be anywhere close to having in place by October of 2015 when the liability shift is scheduled to take effect.

Responding to Webster, who noted an industry authority she’d spoken to who stated that any merchant that wanted EMV capabilities in place could easily have it by this time next year, Paull was openly simply doubtful.

“If EMV were the sole and only focus of the retail market then I think it might be possible, but even then it would be challenging,” he noted. “But, this is nowhere near the only priority, and in some cases it’s not a top priority given the other things that are going on.”

And those other things, notes Paull is the need to accommodate mobile payments and mobile commerce that they and their consumers increasingly want to take advantage of in the retail environment. Retailers suddenly find they have a lot of choices facing them to accommodate the preferences of their customers – options such as Apple Pay, PayPal Here, Google Wallet just to name a few – which adds even more complexity to securing the point of sale.

“Merchants have spent the last decade or two moving systems in house just in time for those systems to become much more complicated to manage in-house efficiently and effectively,” Paull remarked. “The combination of all the security challenges and payment and tender types is converging on companies.”

Paull believes that the trend for in house point of sale management will shift once again to outsource providers, because retailers increasingly understand that the environment is becoming much too complex for them to manage effectively on their own. Paull notes that the particularly progressive retailers that are offering Apple Pay and a variety of technology assisted payment methods also realize that the clock is ticking for them to put those systems in place and the clock ticks even louder as breaches continue to surface. The major players realize that they need to be ready for continued assaults by the end of 2014 not the end of 2015.

That’s one of the things that Paull said brought him to Merchant Warehouse. A month into his new role as Chief Revenue Officer, Paull says that its Genius platform is about helping retailers undertake the admittedly “somewhat complicated” job of outsourcing the myriad of services and technology that they’ve spent a lot of time bringing in house.

“What we’ve been working at for three years in developing the Genius platform is the ability for the retailer’s point of sale to stay intact as they have it, but for them (or their ISV or VAR) to write to a to write to a basic API in our cloud platform, to have a backend communication to the payment terminal.  There’s no physical connection in the store, the payment terminal talks to the cloud, talks to our servers and so does the POS system and therefore the payment data and card data never goes through the point of sale system and never touches their enterprise systems.  That was a major effort for us.”

Paull says that Merchant Warehouse can help their customers get this service up and running very quickly, implementing their solutions in a “60 to 90 day window.”

“We have three to four brands that you would recognize moving into pilots with us and trying to do this as quickly as possible,” Paull commented. “They not only want to offer new options at the point of sale for their customers but they’ve had evidence of people trying to attack them and they need to take action quickly.”

Even with that, Paull doesn’t think that Merchant Warehouse alone will solve the problem of securing consumer payment data, but he does think the pendulum is starting to forcefully swing back to retailers wanting to devise the most efficient total payments strategy, not only one focused on saving money by bringing things in house.

“I do think this will be interesting to watch.”