Criminals are on a relentless hunt to find merchants’ weak spots. The hackers pose a daunting challenge to any retailer selling online—or offline, for that matter. The only way for merchants to fight back, experts say, is to maintain a perfect defense. But being perfect isn’t easy. Internet Retailer magazine’s September cover story explores the threats that those criminals pose to retailers.
A prime example is Target Corp., which was the victim of a highly publicized attack on its computer network last year. It’s not as though Target was unaware of the threat. Target was compliant with the Payment Card Industry Data Security Standards, the set of rules created by payment card networks to protect cardholder data. It worked with FireEye Co. to monitor its systems for suspicious activity. Its systems, at least on the surface, were secure, says Jerry Irvine, chief information officer at information technology outsourcer Prescient Solutions Inc. and a member of the National Cyber Security Partnership. Yet criminals still found a way to steal more than 40 million credit and debit card numbers, as well as 70 million names and addresses, in one of the largest data breaches in U.S. history.
Prior to the breach, the retailer was having a good fourth quarter. But immediately after its Dec. 15 statement alerting consumers to the breach, sales turned south and the merchant has yet to recover. In addition to the lost sales, breach-related expenses cost Target $236 million in the first half of its fiscal year and led to the departures of CEO Gregg Steinhafel and chief information officer and executive vice president for technology services Beth Jacob.
While Target is among the most high-profile victims of criminal hackers, it is hardly alone. The number of data breaches jumped 53.6% in 2013 from 2012, and 54.0% of those breaches were targeted at e-commerce web sites, according to a recent report by security firm Trustwave. Among those victims are e-commerce giants like eBay Inc., Adobe Systems Inc., the Neiman Marcus Group Inc., as well as small merchants like Made in Oregon.
The September cover story examines how retailers like security and surveillance products retailer BrickHouse Security LLC are responding to the threat. BrickHouse Security, for example, is PCI-compliant; uses tokens, encrypted codes that represent a consumer’s credit or debit card account number, so that it doesn’t have to store actual card numbers; limits the amount of customer data it holds, as well as minimizes the number of vendors it integrates into its systems.
That approach can occasionally make for a less-than-optimal experience. For instance, a BrickHouse Security call center agent can’t access a shopper’s credit card number, even if the shopper just placed an online order the day before because as soon as a shopper types his credit card number into the merchant’s system, that number goes to its gateway and is tokenized.
“One of Amazon’s greatest strengths is that it doesn’t make customers reenter their information,” says Todd Morris, the retailer’s CEO. “But even though it’s convenient for the customer, we don’t want to have the risk involved in having that the information.”
BrickHouse Security lives with that inconvenience because Morris feels maintaining a strong defense is more important than a simplified checkout process. Being well armed, he says, encourages hackers to move on to an easier target.
“If a hacker wants to get into a retailer’s system, he will, because every company is hackable with enough effort,” he says. “But that’s why we have to limit the amount of valuable data we have so that it isn’t worth a hacker’s effort.”
That’s increasingly important because the number of consumers impacted by data theft is on the rise; the percentage of U.S. adults who report they’ve had personal data, such as their credit card account numbers, stolen as a result of their online activities jumped to 18% in January 2014, up from 7% in January 2013, according to the Pew Research Center.
The situation leaves retailers with a near-impossible, but unavoidable challenge—wage a never-ending battle against increasingly sophisticated criminals, or else. After all, those who fail might not be around long because the majority of consumers—86.6% in a recent poll by contact center software provider Semafone—say they are not likely to do business with a company that has experienced a data breach that resulted in the loss of payment card data.
To read more of about the online security threats retailers face, and how merchants like BrickHouse Security and Micro Center are fighting back, check out the September cover story “The war with no end” in the September issue of Internet Retailer magazine. Not a subscriber? Click here to sign up for a free subscription.