No matter a retailer’s shape or size, cybercriminals don’t discriminate. In recent years, the number of attacks targeting retailers has significantly gone up, with 75 percent of them saying that they have been targeted at some point. According to a report from the National Retail Federation, retailers in the U.S. lost nearly $47 billion to cybercrime in 2017, and fraudsters aren’t slowing down.
As cyberattacks against retailers continue to mount, more companies are heavily investing in protecting data and payments alike. Nearly 85 percent of 196 retailers surveyed by data security solution provider Thales said they plan to increase their security spending in the coming year.
Stopping cybercriminals takes more than just money — those funds must be directed at the right tools, technologies and techniques if retailers want to curb cybercrime. In this Deep Dive, PYMNTS examines past efforts to stop retail fraud and what’s being used today.
Public action and regulations
As fraud has become more widespread in the retail sector, several governments, regulatory bodies and other public authorities worldwide have taken an increasingly active role in protecting merchants and their customers.
In Europe, for example, the European Central Bank (ECB) undertook several efforts to strengthen retail security. In 2003, when online revenues were just a small fraction of today’s totals, the ECB released recommendations to protect personally identifiable information (PII) and financial details exchanged in these transactions with two-factor authentication, among other steps. The European Banking Authority followed up on those recommendations by passing new ones in late 2014, which are still in effect today.
In 1999, President Bill Clinton of the United States a presidential directive to create the Financial Services – Information Sharing and Analysis Center, a group that identifies cybersecurity threats, coordinates fraud protections and shares information to companies in a wide range of industries.
Recently, the U.S. Federal Reserve has also looked to protect retailers and their customers. In June 2015, the Fed brought together a group known as the Secure Payments Task Force, which was comprised of a diverse group of companies and stakeholders that issued their own recommendations for improving retail security. The group’s report, Strategies for Improving the U.S. Payment System, called for a faster, more efficient and secure payments system, specifically designed for online transactions.
EMV and 3D Secure
Private players are also looking to help prevent cyberattacks, as shown with the release of the Europay, Mastercard and Visa (EMV) standards. The standards called for retailers to accept card-based payments using chip-and-PIN technology, an upgrade to existing retail security systems.
Similar to the EMV standards, Mastercard and Visa came together in 2001 to design the 3D Secure (3DS) protocols, which offer greater fraud protection to online transactions made via debit or credit cards. These protocols saw an upgrade last year with the release of 3D Secure 2.0. The upgrade provides consumers with a simpler payment experience without sacrificing security and eliminates most of the features that consumers found unpleasant when completing online payments, allowing payment processes to be integrated directly into a website’s checkout and blended more easily with omnichannel features and loyalty programs.
3DS 2.0 also better handles the increasing amount of mobile purchases made in recent years. Because consumers expect mobile transactions to happen without interruption, frictionless flow transactions — those that are not interrupted by security protocols — require earlier risk reduction and richer collection of data.
These standards and protocols, paired with technologies like artificial intelligence, machine learning and encryption, have become retailers’ main weapons in strengthening the industry’s cybersecurity.
Implementing best practices
Most projections indicate that retail fraud will continue to increase. As consumers continue to adopt mobile, online and other connected commerce channels, fraudsters will only have more opportunities to get their hands on PII and payments data.
Retailers that want to offer their customers the best protection should comply with not only their jurisdictions’ regulations, but should also implement the recommendations and best practices from around the world, and from different sectors of the cybersecurity space.