January 21, 2016

Retail Data Security: Why There Are So Many Challenges

If you just went by the headlines, you’d think retailers were the only ones getting pummeled by cyber thieves.

Granted, retail data breaches get the most media attention because store names are so recognizable.

Also, a Verizon report showed that in 2014, retail accounted for 1 in 13 breach incidents (financial services accounted for about 1 in 7).

At the same time, when you look more closely at the numbers there’s a lot to be worried about. Retail organizations detected 154% more incidents in 2015 compared to the year before, according to the Global State of Information Security Survey. While the average cost of a data breach stayed relatively constant for most industries, the cost of a retail data breach increased from $105 per record in 2014 to $165 in 2015, according to the 2015 Cost of Data Breach Study: Global Analysis.  

What are some of the retail data security challenges faced by businesses today?

Keeping Customers Happy: Retailers need solutions that protect sensitive data but don’t slow down transactions. While two-factor authentication is more secure, for example, some customers may balk at having to take numerous steps to complete their transaction.

Credit and Debit Cards: Information thieves love credit and debit card transactions because of all the personal information attached to the cards. Retailers are slowly transitioning to EMV cards, which are credit cards equipped with computer chips that authenticate cards and transactions and make it more difficult to create counterfeit cards. While the complete transition to chip card readers may take several years, criminals are expected to increasingly shift their focus to debit cards.

Online Business: Chip technology can’t prevent online fraud. According to a Wired.com story, the UK, which has had chip-and-PIN cards since 2003, experienced a huge increase in ‘card-not-present’ transactions fraud – from 30% to 69% of total card fraud between 2004 and 2014. A 2015 LexisNexis study found that revenue lost to retail fraud in 2015 was nearly double the previous year’s amount because of online and mobile fraud.

Third-Parties: Third-party suppliers can be a bridge to an organization’s confidential information. The Shred-it 2015 Security Tracker showed that 58% of small businesses don’t perform security checks when procuring a third-party vendor. Experts now prioritize the assessment of security of third-party business partners for retail companies.

Compliance: With conflicting breach notification laws in 47 states, “a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs,” said a National Retail Federation spokesperson.

Insiders: A recent Osterman Research report identified employees as a huge security risk. Permanent and temporary workers used shared credentials, according to the report, and many respondents couldn’t identify systems that temporary employees accessed. There’s a cyber risk when employees use point-of-sale system as a personal computer, visit websites they shouldn’t, and send out confidential data. Stockpiling old computers also puts confidential information at risk. The solution: educate employees on best practices for protecting data.

Identity theft is a very real risk that accompanies retail breaches. Read our identity theft whitepaper on how to protect against identity theft and fraud.