In the military, there is a concept called acceptable losses and it, candidly, calculates how many of your fighters are likely to be killed under different scenarios. But all businesses do similar calculations – building in losses as part of “doing business” is the ROI calculation of any business – those in the payments ecosystem are no exception.
The tradeoff that retailers, in particular, must make is what an acceptable loss is for them. Perfect security is impossible and impractical – with the cost of trying to achieve such a state way outweighing the benefit, if such a benefit could even be achieved.
And, naturally, the reason retailers are such attractive targets for cyberthieves is because, as Willy Sutton famously said, "that's where the money is." Well, not really, but it is certainly where their source of income is – cardholder data. The reason that so many in the industry are so enthusiastic about Apple Pay is not the “wow” factor of the payment experience but the fact that its unique tokenization and security framework prevents any usable data from being stored at the retailer or even on the phone. Tokenized account information is stored at the card networks (or large issuers who can provide such services). And, the Apple Pay tokenization framework also generates a one-time account number each time a transaction is generated at a store. Tokenized account credentials and tokenized transaction credentials reduce the number of usable pieces of data that thieves can get their cyber-hands onto.
But as we approach the one-year anniversary of the breach of the 70+ million payment cards at Target—followed shortly by the 56+ million payment cards breached at Home Depot – not to mention the several dozen others that happened in between, it does raise a number of important questions about what payments professionals could do differently.
Holiday shopping, when thieves of all kinds are the most aggressive, is ironically and frighteningly when some retailers make their security rules more lax. Consider what happened last December, in the midst of the Target disclosure. Typically, when a breach is confirmed to have accessed specific card numbers, those cards are immediately shut down and new cards are issued. Why give the thieves time to use the cards? Why wait for the first actual thefts to happen?
But in mid-December, when every shopping day is worth far more revenue than days in August or February or September, retailers and issuers were faced with some difficult decisions about what to do. One the one hand, they didn’t want to inconvenience shoppers unnecessarily but they wanted to protect them – and themselves given the size and scope of the breach.
So, for example, JPMorgan Chase chose to limit cash withdrawals to $100 and daily purchases to $300 for any of the stolen Target cards. Citibank at the time said it was issuing no restrictions on its confirmed stolen cards from Target until evidence materialized that a specific card had actual thefts.
E-Commerce presents its own challenges, with its need to accelerate transactions as much as possible, in the age of mobile and tablet shopping, also feels the pressure to eliminate friction in the checkout procedures. One of the oldest scams in the book is for crooks to have packages shipped to an address other than the one on file with the card company – a trick much easier to get away with in December because so many gifts truly are being shipped to different addresses. A big and open question for etailers is whether or how to impose the additional authentication—and run the risk alienating and losing a legitimate customer.
PCI compliance is a must and has been for years. But it's critical to remember that PCI is a good list of best practices, nothing more. Being PCI compliant doesn't make a business immune to a successful attack any more than locking your home's doors and windows means that no professional burglar can break in. PCI compliance is a security starting point and everyone in the payments ecosystem agrees that retailers and/or businesses that handle card data must go far beyond those guidelines to protect their customers and themselves.
Another holiday security nightmare is gift cards. Gift cards are the card thief's best friend. When a card is stolen, thieves know that the clock has started—the thief only has hours and maybe minutes before the shopper realizes the card is missing, reports it and has the card deactivated. That means that the thief must convert it to cash quickly. The best way to do that is to quickly purchase expensive merchandise, items that can later be unloaded on eBay or even on street corners. But buying expensive items can take time, so thieves often see gift cards as the best way to buy themselves more time.
They know that once the card is shut down, investigations generally move slowly. It will often be hours before it's discovered that a gift card was purchased and gift card records—even today—make it difficult to identify the exact card sold to electronically deactivate it quickly. That gives the thief time to use that card to buy that merchandise at a more leisurely pace. But the holidays see a ton of gift cards purchased so that's hardly a security heads up.
Fear not, though. There is one security counter-measure that is 100 percent effective. Data thieves universally get stockings filled with black coal. Santa’s naughty and nice list databases really should be leased by Visa.