The holiday season represents the busiest time of year for retailers and perhaps when they are most prone to data breaches. With an influx of cards entering their system and stores crowded with holiday shoppers, it’s the perfect (snow?) storm for hackers who take advantage of distracted system administrators and employees to deploy their skimming software. This week, we’re taking a look at how prepared — or not so prepared — the retail industry is for this merry, albeit vulnerable, time of year.
EMV-Enabled Card Readers Ready And Waiting
A recent survey conducted by Consumer World revealed that less than 46 percent of major retailers are currently using their EMV-enabled terminals. That means that most, while they have the new hardware, have not yet turned it on at all (or, in some cases, any) of their retail locations.
Edgar Dworsky, founder of Consumer World, wondered why he was rarely dipping his smart card while out holiday shopping, despite an Oct. 1 deadline for retailers to adopt the new standard. He decided to survey the marketplace and found that of the major retail chains, only four major retailers were able to process a purchase using the EMV security-enabled technology.
“Virtually all — except for Radio Shack — have installed checkout terminals with the card slots for these chip cards, but most of them did not work. They had not turned on the system yet,” Dworsky told NBC News.
In fact, only 10 chains in the Consumer World survey have enabled the chip card function chainwide: Best Buy, Home Depot, Lowe’s, Macy’s, Old Navy, Rite Aid, Sam’s Club, Target, Walgreens and Walmart.
NBC News followed up with some of the big name retailers who have not yet enabled their EMV terminals, including Bed Bath & Beyond, CVS, Costco, Foot Locker, Kmart, Kohl’s, PetSmart, T.J.Maxx, Toys”R”Us and Whole Foods. Many have plans to roll out the changes gradually throughout 2016. Mallory Duncan, senior vice president and general counsel at the National Retail Federation, notes that it takes the average retailer about 19 months to get the new chip card payment system up and running. Many stores did not have time to do that before the start of the holiday shopping season, so they decided to delay implementation, he said.
“It seems crazy that all of this money is being spent to send out replacement cards and to install all the new payment terminals at these big name stores, but nothing has really changed — the security is no better,” Dworsky commented. “Plus, it’s really frustrating and confusing for shoppers who see the new terminals and don’t know whether to swipe or dip their credit card.”
More Aware, But Not Necessarily More Secure
After the Sony data breach of the 2014 holiday season and the Target breach the year before that, all eyes have been on data security across many industries, including retail and finance. While the hope is that extra attention has also brought with it improved security, recent studies suggest that might not be the case.
As CRN recently reported, BitSight’s platform compared the security performance of multiple industries and found that retail ranked second only to finance in security, with a score of 700 out of a possible 900 on the BitSight ranking (the finance industry scored 710).
Stephen Boyer, founder and chief technology officer at BitSight, said that that ranking is “encouraging.” He commented: “We’re seeing general performance improvements [in retail] across the board. Awareness is high, and it’s definitely become a board-level issue. We’re starting to see and hear that they’re taking it much more seriously.”
Meanwhile, the impact of a breach on a retailer is very real, with a recent Accenture survey finding that 12 percent of loyal customers won’t return to a retailer after a data breach, while another 36 percent will slow their shopping pace with said retailer. That’s a major hit for any brand to sustain.
So far in 2015, there have been nine reported data breaches in the retail sector compared with 43 reported breaches in 2014, according to Privacy Rights Clearinghouse. The holidays serve as the perfect opportunity for hackers, as retailers are focused on keeping their systems up and running and handling an influx of cards and transactions in the system. That combined with a seasonal work staff that tends to be less trained and less dedicated to a company can also lead to missing key signs of in-store systems breaches.
Ajay Arora, CEO and cofounder of Vera (a data security company), recently told CRN, “People have woken up … but a lot has not been done, and we’re kind of in the same state we were a year ago. Some people would say that 50 percent of the problem is realizing you have a problem, but unfortunately, when it comes to cybersecurity, that is only about 2 percent of the problem.”
Arora acknowledges that a year isn’t that long of a time for large companies to make large technical changes, comparing it to turning a battleship.
“I think it’s slow but steady progress in the right direction,” he said. “But there’s still so much at risk. They’re definitely shifting budgets more toward security, but we haven’t seen the fruits of it yet. This holiday season will prove a lot about where the companies stand.”