We’re currently experiencing massive disruption in the consumer credit landscape. Several major credit card companies recently announced that they will remove the signature requirement for in-person transactions, beginning in April 2018.
With the launch of facial recognition technology on Apple’s iPhoneX and other devices, retailers are poised to use consumer faces to create more effective selling strategies. And the federal government is pushing legislation that would force creditors to notify consumers of data breaches in a much shorter timeframe.
Amid all this change, the same old stuff keeps happening. Data breaches increased by nearly 50 percent from 2016 to 2017, according to the Identity Theft Resource Center. More recently, hackers infiltrated luxury retailers Saks Fifth Avenue and Lord & Taylor, stealing the credit card data of a over 5 million customers.
Retailers who want to win big with consumers will need to leverage the advantages of wide-scale change – including the increased loyalty and higher sales associated with store-brand credit cards. However, they must put practices in place that will protect customer data and internal systems as much as possible. Here are our top 5 tips for securing credit programs:
Attain AND maintain PCI compliance.
If you’re a retailer that handles credit card transactions online, you’re already well aware of PCI compliance standards. Your business’s level of compliance will depend on the number of transactions you handle per year – except in the case of an attack, which sends you straight up to very rigorous level 1 PCI compliance.
If we look at the numbers around PCI compliance, they don’t paint a very rosy picture:
- Verizon investigated PCI DSS compliance for a span of 10 years. During that time, they found zero companies that were PCI DSS compliant at the time of a breach.
- Breached merchants were out of compliance with nearly half of PCI DSS requirements when breached.
- Almost three-quarters of consumers reported that they would be less likely to purchase from a breached merchant.
The key here is to maintain PCI compliance constantly – not just when the PCI Auditor is on-site, looking for gaps. The PCI Data Security Standard is incredibly comprehensive. It provides a great deal of protection against data breaches – IF your business fully complies, at all times.
Minimize the storage of sensitive data.
Hackers and data thieves can’t steal something that you don’t have. When making decisions on what data to keep and what to discard, remember to store only the data that is required to conduct business – and nothing else.
Retailers need to replicate much of the same processes they have in place for major credit cards – but this time, for their own credit programs. That means not retaining (or quickly disposing of) sensitive cardholder data, including the data contained in a card’s magnetic strip, authentication data for chip cards, and the 3-digit validation code on the back of many cards.
Encrypt all sensitive data that you keep.
Even though retailers shouldn’t keep too much sensitive data, they still need to keep some data for transactions. And PCI DSS allows for the storing of critical inputs like the cardholder name, primary account number, service code, and expiration date – as long as the appropriate protections are put in place.
The best way to secure this customer data is to encrypt all data wherever it is stored. Otherwise, critical customer information can be compromised by simple unauthorized access to systems and databases..
PCI DSS requires strong cryptography, meaning encryption methods that meet industry best practices for strong encryption. The use of one-way hash functions, data truncation, index tokens are also recommended. For retailers, it likely makes sense to replicate whichever encryption method they are using for major credit cards in their store credit security measures.
Monitor security networks and respond to alerts.
Imagine that your house is on fire. You call 911 and let them know that you need a fire truck immediately. Their response is to either not answer the phone, or upon picking it up, hang up the phone and do nothing.
It’s a pretty crazy scenario, right? Imagine the same example applied to the monitoring of retail security networks. A retailer complies with PCI DSS, and creates a monitoring system for specific types of activities. When those activities happen, alerts go to an unmonitored email address. Or maybe they don’t go anywhere at all – they live in a dashboard that no one checks. What’s the use?
In order to prevent security breaches of credit programs, retailers must actively monitor networks and investigate incidents expeditiously and completely. For overtaxed, understaffed retailers, this monitoring can be outsourced to a security company. Others may choose to build it in-house. No matter the method, alerts cannot be ignored – all we have to do is look at the massive (and easily preventable) Equifax breach to understand why.
Use system tools to identify legitimate customers and fraudulent entities.
Retailers have all sorts of tools in physical stores to manage real shoppers versus potential thieves. These tools include video surveillance, in-store security staff, sales associates and managers, and security tags on merchandise that trigger alarms when exiting the store.
The same type of strategy must apply for the online experience. In order to protect sensitive customer data, retailers must provide robust tools to differentiate between customers and attackers. These types of tools can detect inputs like where a computer is coming from and whether it has participated in other attacks to detect malicious intent. A couple of common examples are:
- The challenge response mechanism, which most consumers know as the CAPTCHA form;
- And behavioral analysis, which gathers data during transactions to better understand legitimate versus fraudulent behavior.
For any method retailers use, the key is to use tools that apply identification techniques without negatively impacting the experience of legitimate customers.
Retailers can offer credit programs AND defend against threats.
Consumer credit headlines can be both exciting and frightening, depending on whether you’re reading about the latest innovation or a massive data breach. But retailers don’t have to risk it all to provide competitive, loyalty-driving credit options to their customers. With vigilant, effective security measures in place, retailers can drive increased sales by managing security threats proactively.