Retailers Face Pressure to Boost Cybersecurity Spending

Before you go, we thought you'd like these...
Before you go close icon
Target To Fast-Track Smartcard Tech After Data Breaches

By Dhanya Skariachan and Phil Wahba

NEW YORK -- Target's decision to speed up a $100 million program to adopt the use of chip-enabled smart cards is just a drop in the bucket when it comes to what retailers need to do to defend themselves against future cyber attacks, according to security experts and IT service providers.

The pressure to boost security spending comes at a time when merchants are already spending millions to fend off online retailer (AMZN) and facing an October 2015 deadline set by payment networks Visa (V) and MasterCard (MA) to accept new payment cards that store information on computer chips rather than on traditional magnetic stripes.

Target, the No. 3 U.S. retailer, said this week it hoped to finish upgrading its payment card network to the more secure "chip and PIN" standard by early 2015, some six months ahead of its previous plan.

The system, already widely used in Europe and Asia, can accommodate cards carrying tiny microprocessors, which makes it harder for cybercrooks to use stolen data.

U.S. retailers have been so focused on cutting costs and expanding their online presence in the past decade that they haven't spent enough of their technology budgets on protecting customer data, security experts and IT service providers said.

While retail spending on overall technology was expected to rise 4 percent annually between 2012 and 2017, U.S. stores spend only roughly 2 percent of their tech budgets on security, with the bulk going to improving their e-commerce, technology advisory firm IDC Retail Insights said.

Unlike their peers in other industries, most retailers still focus on just meeting the basic standards set by the payment card industry rather than substantially beefing up safeguards against increasingly sophisticated attacks, security experts said.

"Retailers have to assume that they are constantly being targeted and actually constantly being penetrated," %VIRTUAL-article-sponsoredlinks%said Eddie Schwartz, a vice president at Verizon Enterprise Solutions, who urged retailers to take a more proactive approach.

Pressure from Congress, consumer groups and the banking industry following recent theft of customer data at Target, Neiman Marcus and others may be the turning point to get the retail industry to spend more on security, experts said.

For example, Dinesh Bajaj, the vice president of retail and logistics practice in Americas for Infosys, expects retailers to spend more in coming months on encrypting credit card data while storing it in multiple systems.

IDC Retail Insights expects spending by retailers in 2014 specifically for security in the United States to be $720.3 million, an increase of 5.7 percent from last year in part because of the recent breaches. Total tech spending by retailers this year is expected to hit $36.34 billion.

"It's clear that companies need to do a lot more, that they continue to make basic mistakes," Federal Trade Commission Chairwoman Edith Ramirez said at a hearing Tuesday looking into massive data breaches at Target and Neiman that affected millions of shoppers.

Lagging in Security Spending

Retailers spend 4 percent of their technology budgets on security, compared with 5.5 percent for banks and 5.6 percent for healthcare companies, according to technology research firm Gartner (IT).

Security experts urged retailers to set up a non-competitive "collaboration space" where they can virtually meet to share best practices and real-time alerts about data breaches as their peers in telecoms, financial services, utilities, transportation and energy have done.

There are currently more than a dozen non-profit groups known as Information Sharing and Analysis Centers, or ISACs, that share real-time information about cyber threats and other emerging security risks.

"Having the tools and technology isn't enough in this day and age," Michael Kingston, Neiman's chief information officer, acknowledged Tuesday while testifying before Congress. "It's often how you deploy this technologies and what else are you doing, which goes back to make sure we're sharing intelligence as much as we can."

Retailers including Walmart Stores (WMT), Home Depot (HD), Toys R Us, Sears Holding (SHLD), Walgreen (WAG), CVS Caremark (CVS), Best Buy (BBY), Macy's (M) and Neiman declined to share details of their spending on data security.

Target said it has invested "hundreds of millions of dollars" in cybersecurity but didn't give the exact amount.

"Retail has small margins and wants to keep prices low, and so they have been slow to improve their systems," said retail industry IT consultant Cathy Hotka. But the imperative to do so is even greater given how much bolder and skilled hackers have become, she added.

Tom Litchford, vice president of retail technologies at the trade group National Retail Federation said merchants have made "significant" investments to classify and encrypt data and to train software developers and other staff.

But data show that retailers have traditionally spent proportionately less on security than other leading industries.

"They don't spend enough on isolating their payment card processing environment from the rest of their store networks and the public Internet," said Gartner analyst Avivah Litan. "This leaves their cardholder data environment open to security holes that the criminals punch through."

-Additional reporting by Alina Selyukh and Emily Stephenson in Washington and Jim Finkle in Boston.

Why Your Bank Thinks Someone Stole Your Credit Card
See Gallery
Retailers Face Pressure to Boost Cybersecurity Spending

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.

Read Full Story

Sign up for Finance Report by AOL and get everything from business news to personal finance tips delivered directly to your inbox daily!

Subscribe to our other newsletters

Emails may offer personalized content or ads. Learn more. You may unsubscribe any time.

People are Reading