Retail Breaches Could Spur Channel Business, Modernized Payment Systems

The retail industry, reeling from a litany of recent credit card breaches, could finally get a long-awaited injection of data protection technology, creating opportunities for solution providers that specialize in data security, compliance assessments and modern payment terminal deployments.

Target, Home Depot and other large retailers will be among the first to roll out terminals that support chip-and-PIN cards, but the technology alone doesn't provide the data security benefits, say solution providers. Newly manufactured, encrypted payment terminals would provide the greatest benefit in reducing fraud and help ease the barrage of data breaches, said Chris Camejo, director of consulting and professional services at NTT Com Security, Bloomfield, Conn.

"Encryption needs to happen in the terminal hardware and it's a technology that might have prevented many of these recent breaches," Camejo said. "Until now, most merchants look at the price tag of point-to-point encryption and decide not to do it."

[Related: Home Depot Confirms Breach, Remains Mum On Details]

The good news, according to solution providers, is that new terminals that support chip-and-PIN, also called EMV (Europay, MasterCard and Visa), are fully encrypted.

Target is spending $148 million on security improvements following its massive credit card breach and said it is on schedule to roll out terminals that support chip-and-PIN and encryption next year. Home Depot, which confirmed a breach this week following an investigation of its payment systems, said it would have the technology fully supported by October 2015.

The credit card brands are holding a carrot to spur adoption, with the key date being October 2015. Merchants that accept Visa transactions will be financially liable for any counterfeit fraud losses if their terminals fail to support a Visa card chip transaction. Merchants that support at least 95 percent of MasterCard chip transactions through an EMV-compliant POS terminal will not be liable for any account data compromise penalties. American Express and Discover have similar fraud liability policies for merchants that use terminals that accept EMV cards.

Advocates of the technology say it could take eight years for the payment industry to fully adopt equipment that supports the chip-enabled credit cards. Resellers, system integrators and consultancies that provide security and PCI compliance services for merchants predict that about 60 percent of merchants will adopt EMV-enabled terminals by October 2015.

The long line of credit card breaches may be what the industry needs to accelerate adoption, said Bob Doyle, a security consultant at Cambridge, Mass.-based security consultancy and solution provider Neohapsis. The cost of ripping out payment hardware has always been a major deterrent, Doyle said. Most merchants are going to fully analyze the costs associated with new security technology against the amount of risk reduction it provides.

"If I'm in charge of security at an organization that has been breached, I would pull out my playbook of potential technology upgrades that I was always going to implement, because this is where budgets are opened up to address security," Doyle said.

NEXT: Too Many Uncertainties Create Reluctant Merchants

The PCI Security Standards Council, which manages the payment industry's self-assessment process on behalf of the card brands, issued a statement this week calling on merchants to be more vigilant in maintaining their security programs. A defense strategy needs industry-led standards, technology that protects data, and law enforcement response that includes international cooperation, the council said.

"EMV-chip-based systems offer a significant security advantage in face-to-face retail environments as the technology rolls out in the USA. But EMV chip technology does not solve all payment security challenges," the council said. "Businesses must approach security as a round-the-clock, 365-day-a-year necessity."

The council, which meets in Orlando, Fla., next week as part of its annual community meeting, just started accrediting full point-to-point encryption solution providers and lists six providers globally. Bluefin Payment Systems, one of the first PCI-validated providers of point-to-point encryption solutions in North America, was validated in March. Freedompay, also aiming at the market in North America, was validated last month.

Merchants are still hesitant, caught between the exuberant costs associated with implementing new terminals, a lack of choice in providers of fully validated solutions, and the uncertainties prompted by no clear industry standard for mobile payments, said Avivah Litan, a vice president and distinguished analyst at research firm Gartner. Adoption has been slow for Google Wallet, its payment service for Android devices. Apple Pay, which reportedly is supported by more than 200,000 merchants as well as the credit card brands and issuing banks, was unveiled this week but it is unclear whether iPhone owners will fully embrace the service, Litan said.

"It's difficult for some large merchants to make a long-term decision on whether the technology they are evaluating is viable or not because they don't want to get locked into payment processes," Litan said. "No one wants to pour millions into something when another standard is put in place two years from now."

Early rollouts of point-of-sale systems supporting chip-and-PIN technology in the U.S. appear to have fully encrypted terminal devices, say solution providers.

The transition period could be rocky, said NTT Com Security's Camejo. Card numbers will still be transmitted using the new cards. Consumers that have received chip-and-PIN cards in the U.S. say their cards also contain a magnetic stripe. If EMV terminals fail or none are available, the card could still be swiped. The card brands also may initially support chip and signature, rather than chip and PIN.

The cybercriminals behind the retail breaches will be watching closely, Camejo said. The technology may prevent some fraud, but it won't prevent BlackPOS, the memory-scraping malware involved in some of the latest high-profile breaches, from stealing card numbers.

"With EMV the card number is still transmitted to the computer in the clear and could be captured out of memory by malware like BlackPOS," Camejo said. "The stolen data could be cloned onto another card and used in a store that doesn't use EMV. It also doesn't do anything to prevent the card from being used in online transactions where chips don't come into play."

PUBLISHED SEPT. 11, 2014