Data breaches are not exactly news — since the Target breach of 2013, they’ve gone from being something that was little considered outside a fairly rarified group of people to something that quickly became top of mind of consumers, merchant and card issuers everywhere.
Target closed the calendar year 2013 with the distinction of having “the biggest breach in consumer card data ever,” a title that it happily gave up to others as 2014 turned out to be the Year of the Breach as Michael’s, Sally Beauty, Neiman Marcus, PF Chang’s, Jimmy John’s, Goodwill, Home Depot, Dairy Queen, Staples and K-Mart all got hacked, not to mention about 11 casinos and hundreds of other retailers we don’t have time to list. They all saw their systems compromised and their customers’ card data get sucked into the dark web for cybercriminals to play with.
As bad as that was, 2014 didn’t even represent the peak of the cybercrime arc — the moment at which we as a society realized that there was a problem with cybercrime and collectively managed to turn back the tide on digital threats.
In fact, according to Bluefin Payment Systems’ founder and Chief Innovation Officer Ruston Miles, cybercrime over the past three or four years has been a “hockey-sticking” industry that has been growing exponentially in scale and scope.
“Breaches are moving up and to the right — it’s getting much worse, particularly in certain sectors. In that watershed year of 2013, there were 500 or 600 breaches — in 2016 that number was 1,093,” Miles told an audience that was hanging on his every word during a recent PYMNTS.com Digital Discussion on P2PE. Miles’ point, too, was that these attacks weren’t those of the good old days of DSW or TJMaxx where the bad guys were getting in and liberating some big database of cards. That, he said, is a lot of work. Instead, they are setting up on the cracks out on the margins — and figuring out how to actually automate these attacks so they can go to bed and wake up to a nice breakfast of card numbers from some retailer in the United States.
So, Miles concluded, there isn’t less cybercrime than there was 10 years ago — there’s actually a lot more, and it’s getting more diverse, more complex, more technologically advanced and just plain smarter.
But there is good news — and said Miles, there is hope. Criminals are getting smarter and more adaptable — but so are the tools used to fight them. He cited point-to-point encryption (P2PE), something that he and Bluefin know a lot about as the first such North American provider with a PCI-certified P2PE solution. It was that front seat to the role of such solutions in response to the growing industry of cybercrime that was the subject of that digital discussion.
“When I talk to a merchant, it will often be the case that they are doing one or two things very well — everything is tokenized, they’ve switched to EMV,” Miles recounted, “without realizing that hackers will then just use malware to go after the data in a different way.”
Miles said that the reason that he and Bluefin are such fans of P2PE encryption is that the technology actually devalues the data from the word go — so there is no useful payment data to steal.
The Enhanced Threat
Yes, Miles said, we all know that cybercriminals are an inventive group, which is why malware is getting more specific, targeted and automated. Hackers now use specialized software to spear-phish their way into access to a company’s payment system — and then use all manner of scraping and key-logging software to capture as much payments information as they can.
Wherever that information happens to be — now or in the future.
“IoT is a new commerce opportunity — and now a new attack vector. Just look at what happened last year when cameras, video cameras, cable boxes and routers were mobilized into bots to deliver a massive denial-of-service attack that took down half the web for a period of time,” Miles said.
But, he said, there is a silver lining — hackers can also be lazy — which means that they will also tread paths that have worked for them before.
“We see cybercriminals do the same thing they’ve been doing for four years because it works. They’re just automating it and doing it faster,” he said.
What happened at Target — where an HVAC vendor was the weak link wherein cyber criminals managed to implant PoS malware and make off with millions of customers’ payment card data — astonishingly, he said, is something that continues to happen all over the ecosystem.
“A vendor’s AC contractor doesn’t have credit cards on their mind because it isn’t part of what they do. But their computer has access to a network that has a point of sale on it, and that person can be a conduit to a network where [hackers] can get the good stuff.”
Miles was quick to say that it isn’t as if merchants don’t care — obviously many have embraced EMV and tokenization and are well aware of the critical nature of the problem. The shortfall is not knowing how to think about the solution.
“Hackers are getting ahead because all this data is floating around unencrypted. A lot of folks switched to EMV and thought, ‘Oh, finally this plugs that hole in the ship.’ The problem is that technology was never built to encrypt the data — it was built to make it impossible to copy or clone a card.”
A Multi-tier Approach
Miles noted that when browsing the web — and getting ready to enter any kind of sensitive information — most consumers would not consider using an unencrypted site, at least not in the past decade or so.
Which Miles said makes encryption in payment data the next logical progression. Locking up data has the disadvantage of having to be ever vigilant about the lock 24 hours a day, seven days a week, 365 days a year. Any small error — even on the part of a third-party vendor — where the hackers get in and get at the data makes the investment up until then wasted.
Encryption doesn’t just lock the data — it devalues it, so even if the criminals get it, minus the decryption keys, what they have is completely useless.
“A good rule of thumb for business is if you don’t need to touch the card, don’t do it. Avoid the hot potato. EMV and P2PE and tokenization are the instantiation of that.”
Miles added, “P2PE solutions encrypt the data at any point of interaction, and tokenization does at any point of storage, which makes it absolutely essential to use it in conjunction with other technology.”
And while “all encryption is good,” not all encryption is PCI-certified P2PE — and that level of certification makes a difference.
“All smoke alarms are good, and any smoke alarm is better than not having a smoke alarm. But if that smoke alarm is not monitored and that monitoring can’t get ahold of you — it is not as useful even if it makes a lot of noise,” Miles said.
So saying that all encryption is useful, Miles said, is like saying all smoke alarms are useful — technically true, but obscuring the fact that some versions are much more useful than others. Miles said that Bluefin and the 28 other PCI-certified P2PE providers are just offering encryption that is broadly speaking more useful — because it is routinely updated, regularly evaluated and held to an ever-advancing standard.
“Those thousands of [PCI] requirements contain a lot of things that are terribly important, like hardware-level encryption to prevent RAM scraping or devices that are self-aware and know when they’ve been unplugged and tampered with. A PCI P2PE solution is different and much more strict than just any encryption.”
The ROI Of Streamlining
Apart from being more secure — which is the primary focus — the PCI P2PE solutions are just a better investment on the whole for merchants, because over time they drastically reduce the cost of compliance for merchants.
“With P2PE 90 percent of all the things that merchants are doing to secure themselves under PCI requirements go away as scope is reduced. It makes life easier,” Miles said.
Easier, he noted, because with implementing P2PE, merchants go from 300 PCI DSS requirement down to about 30 — and in some cases as few as 15.
“The ROI on that is huge. All the fees and consulting and internal work and software and hardware and everything that goes into maintenance and grooming in a PCI DSS program in a large organization — or even a small one,” he said.
Taking even a single example — monthly scanning for PCI-compliant card readers — can run to as much a quarter of a million dollars over a decade, Miles noted, a cost that simply vanishes with P2PE. Over time, actual merchants crunching actual data over the past few years with Bluefin estimate an average ROI in the 1,500 percent range.
“The number gets big really quick; the business case makes itself,” Miles noted.
Hackers are going nowhere — in fact, by the number they are proliferating. And as much as an evangelist for P2PE as Miles is, he noted that the challenges will always be shifting and moving and there is never going to be one silver bullet that puts down the hackers of the world. EMV pushed hackers online — better data security pushed cybercriminals to go after other sorts of personal data consumers might have left carelessly saved in places like their LinkedIn profiles that they can use for ever-better access to materials and credentials they aren’t supposed to have.
Hackers will continue to be a problem, but that doesn’t mean the battle is lost, because the advances in P2PE and data security also demonstrate that it is possible to make their jobs much harder — not necessarily by making useful data harder to come by — which would also be ideal — but by making it impossible to use even if the bad guys find it.
Supporting digital discussion slides shown below.