E-retailers need to be on guard after Michaels Stores Inc. announced over the weekend that it may have suffered a payment card data breach in its stores, says Loc Nguyen vice president of marketing at Feedzai, which sells fraud-prevention software.
The arts and crafts retailer said it is working with federal law enforcement officials and conducting an investigation with the help of undisclosed data security experts to establish the details of the situation. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges,” said Chuck Rubin, CEO of Michaels.
Michaels is the latest large retail chain to announce that attackers may have breached store payment networks to obtain customers’ payment card information. Target Corp. earlier this month said that its breach could include information for up to 110 million consumers and The Neiman Marcus Group Inc. breach reportedly involves data from some 1 million consumers. (The Target figures include names and e-mail addresses for about 70 million Target customers. That’s in addition to the 40 million credit and debit card numbers and related data also compromised. There may be overlap between the two groups, which would reduce the number of individuals affected to under 110 million.)
While the craft store chain declined to share how many customers may have been affected by a possible attack or when it believes criminals may have accessed its systems, the situation reinforces the need for online merchants to use several different tools to present fraud, Nguyen says. That includes requiring consumers to enter the Card Verification Value 2 number, a code printed on the back of payment cards, or device fingerprinting, a technique that traces the transaction history of the device being used to initiate a purchase, he says. Feedzai offers fraud-management tools that aim to identify fraudulent transactions.
The average retailer uses 4.9 methods to prevent fraud, according to a 2013 report from CyberSource Corp., an online payment security company that is part of Visa Inc.
The more barriers retailers set up to block criminals, the less likely they are to fall victim to criminals using stolen cards on their sites, says Nguyen.
For instance, 79% of e-commerce operators in the United States ask for those CVV2 codes when customers place orders, according to the CyberSource report. That means that 21% of online merchants have a potential weak spot because they don’t ask for those codes before allowing an online purchase to go through.
“Fraud flows to easiest entry point,” Nguyen says.