Credit card breaches at Target, Neiman Marcus, and Michael’s last year sent shock waves through the public, after hackers installed malware on point-of-sale (POS) terminals at all three chains and copied data from more than 40 million credit cards.
Now retailers are doing everything they can to bolster payment security, and jewelry sellers may be particularly vulnerable. No one wants to be the next bad-news headline, and not many want to talk about it.
The truth, however, is that credit card fraud is on the rise—both in-store and online—and it doesn’t help that the United States is one of the last economies to migrate to an EMV payment system. (EMV stands for EuroPay, MasterCard, and Visa, the firms that set the standard in 2002 for encrypting identifying information on embedded microchips.)
THE BENEFITS OF CHIP TECHNOLOGY
Magnetic stripes transmit the same data every time you swipe, while chip cards, inserted at POS, encrypt different data for each transaction, making them harder to clone or use fraudulently. Eighty countries have migrated to chip payment systems—including those in Europe, Canada, Mexico, and much of Asia—while the United States still relies on mag stripe. As a result, American consumers have become a prime target for in-store hackers.
The United States “is the easiest place to steal card data today,” says Slava Gomzin, author of Hacking Point of Sale.
“Hackers look for the easy way to steal card data,” says Slava Gomzin, security and payments technologist at Hewlett-Packard and author of Hacking Point of Sale. “It’s much more difficult to steal EMV data than magnetic stripe, so hackers moved to the United States. This is the easiest place to steal card data today.”
News of last year’s breaches hit at the peak of the holiday season, and Target took the biggest hit with up to 40 million credit card accounts compromised and Neiman Marcus revealing another 1.1 million. Details on the Michaels breach have yet to be released. Security experts say Target did nothing out of the ordinary, but Target customer satisfaction took a dip in the first quarter. According to Cowen & Co.’s quarterly Consumer Tracking Survey, Target’s customer service score dropped from 79 percent to 70 percent among upper-income shoppers. The breach was widely blamed for last month’s resignation of Gregg Steinhafel, the company’s chairman, CEO, and president.
Hacking has become more sophisticated since the last major card breach in 2007, when hackers sitting in parking lots outside two T.J. Maxx stores accessed the company’s servers and used the stores’ wireless networks to steal information for 94 million customers. This time, the hackers who targeted Target, Neiman’s, and Michaels apparently installed malware on POS terminals, gathering customer data by scraping their RAM memory. Although EMV technology alone might not prevent this kind of breach, combining chip payment with other encryption measures probably would.
Before the breaches made news, EMV migration was moving along slowly. While smaller countries can make the shift fairly quickly, the United States has more than 10,000 card issuers, a million merchants, and 8 million POS devices that accept cards, according to Randy Vanderhoof, executive director of the Smart Card Alliance. Merchants who don’t make the shift to chip-based cards by October 2015 will assume liability for fraudulent purchases. That gives stores and financial institutions time to get their chips in a row. But some jewelry retailers are now accelerating their own shift.
Borsheims is one. Sunil Luthra, director of information technology for the Omaha store, says Borsheims is working with its RMS (retail management software) provider to integrate EMV at point of sale and will begin accepting chip card payments by the start of 2015. Last year, the company upgraded its in-store and online credit payment gateways to tokenization technology, which automatically replaces sensitive credit card data with unique identification symbols. “Our gateway utilizes high-level encryption to send the credit card data to the processor,” Luthra says, “and we never store any credit card data on any of our servers.”
Credit card fraud has been a business risk for Borsheims for well over a decade due to the company’s “card not present” transactions. “Since we conduct a large portion of our business volume via telephone sales and the Internet, we have policies and processes in place to mitigate those risks,” Luthra says. These include AVS (Address Verification Service) and CVV (Card Verification Value) and scrutiny of first-time client transactions with an internal fraud review. “While we suffer some losses each year related to credit card fraud, our trained staff is our best defense against it.”
Smaller operations have less to worry about with data breaches than chains such as Zales, Kay Jewelers, and Tiffany & Co. “Stealing credit card data is definitely a volume business,” says Vanderhoof. “Hackers don’t want to steal dozens of cards. They want to steal hundreds of thousands or millions of cards.”
THE RISKS FACING INDEPENDENT RETAILERS
Independents, however, are just as vulnerable to the counterfeit cards now flooding the market. “As far as payment security, the average customer in a jewelry store will have credit cards with more funds available,” says Gomzin. “So that makes them a much more desirable target for hackers.”
Credit card counterfeiting happens in three phases, Gomzin says. Hackers steal the data, “carders” buy it and manufacture counterfeit cards to sell online, then “cashers” use the cards to buy merchandise they can unload for big money. Jewelry fits the bill, which makes jewelry retailers vulnerable at the front and back end.
This three-phase process moves fast. Several years ago, this reporter had a credit card cloned while in Bali, Indonesia, even though the card never left her possession. Within a week, someone had charged more than $1,300 worth of jewelry to it, using a counterfeit card bearing someone else’s name. That kind of cloning would have been impossible with a chip card. “If a microchip is used instead of a magnetic stripe at point of sale, the data copied becomes useless for creating a cloned card,” says Guy Berg, senior managing consultant at MasterCard.
While it should help, EMV technology is not enough in and of itself to prevent a breach like the ones that made national news last year. “EMV was not designed to secure the cardholder’s data after the point of sale,” Gomzin says. “With the breaches at Target and Neiman Marcus, cardholder data was stolen after it was entered into the system, from the memory of POS machines. At that point, it doesn’t matter if it was entered through the magnetic stripe.”
HOW WEBSITES ARE VULNERABLE
Experts now say full migration to an EMV payment system in the United States could take five to seven years from the liability shift. At that point, chip-and-PIN or chip-and-signature cards will help protect in-store payments by requiring two-step authentication and offline encryption, but they won’t protect online transactions.
Tek Image/Media Bakery
When cardholder information (such as account number and address) is keyed in rather than electronically processed via swiping or inserting a card, it’s vulnerable to a different kind of hacking. Jewelry retailers with multiple channels are increasingly using mobile devices and social media to connect with customers, adding another layer of vulnerability.
One example is the U.K.-based Signet Jewelers, parent company of Kay and Sterling, which did more than $3 billion in U.S. sales in 2011. As the largest specialty retail jeweler in the world, Signet relies on third-party IT networks to process, transmit, and store electronic information. According to documents filed with the government, the “personally identifiable information” of customers that Signet collects and stores in data centers and information technology networks is a risk factor for the company: “Despite security measures and business continuity plans, Signet’s information technology networks and infrastructure may be vulnerable to damage, disruptions, or shutdowns due to attacks by hackers or breaches due to employee error or malfeasance.”
Even small e-commerce operations should take extra measures to protect such information. “Anyone accepting payments over the Internet needs to have special security measures in place,” Vanderhoof says.
Good bets include tokenization, like Borsheims has installed, or point-to-point encryption. Gomzin believes the latter is retailers’ best hope. Some gateway services provide point-to-point encryption as part of the package, others for an additional transaction fee. Point-to-point encryption—which requires special payment terminals, software, and integration of the POS—is “not simple, but eventually it will significantly reduce the security breaches,” Gomzin says. “There’s no reason for hackers to try to break this type of solution, so they will turn to different merchants.”
Vanderhoof warns that none of these measures is a quick fix. “Point-to-point encryption is not a silver bullet, nor is the chip card, nor is tokenization—or even applying online the security measures of card security code verification and address verification,” says Vanderhoof. “But, used together, these are all layers of security that will provide added protection in the future.”