California AG Plug For Stronger Retail Security, Encryption Could Fuel Channel Sales

Retailers need to take action to lock down payment environments and protect credit card data, California Attorney General Kamala D. Harris said.

Harris, who released her second annual Data Breach Report on Thursday, called for tougher breach notification rules and urged retailers to support chip-enabled and encrypted point-of-sale terminals.

The breach at retail giant Target, which took place at the end of 2013 and e-commerce startup LivingSocial accounted for 93 percent of the more than 17 million records that were associated with the security incidents in 2013, according to the report (.PDF). The Target breach affected the payment card data of approximately 41 million customers. At LivingSocial, the names, email addresses and passwords of about 50 million users were exposed in a breach.

[Related: Intel Security CTO: Retail Breaches Can Be Eliminated]

Sponsored post

More than half of the data breaches were the result of hacking and malware, according to the Attorney General's study and the intrusions impacted 18.5 million Californians in 2013. The number of reported data breaches increased by 28 percent, from 131 in 2012 to 167 in 2013, according to the report. Nearly all the breaches involved either Social Security numbers or credit and debit card numbers, according to the study.

The widely anticipated breach report, combined with the long line of retail data breaches throughout 2014, is expected to reinforce the increased attention being given to retail security, solution providers said. The breaches have prompted retailers to reassess their security postures, increasing engagements from regional security consultancies to systems integrators and managed service providers.

Solution providers interviewed by CRN at the recent McAfee Focus Partner Summit said the breaches have raised awareness about the need for better security. Funding may be shifting from other IT resources to support expanded security strategies at some organizations, said Mark Behan, director of the security business unit at Dimension Data, which uses McAfee to deliver its managed security services.

"We're seeing some of our high-performing vendor partners doing well and recording good results," Behan said "Our own businesses are growing well. I think there is spend being freed up for security approaches."

The Attorney General urged retailers to rapidly deploy new payment terminals that support new chip credit cards, designed to prevent the use of fraudulent credit cards at retail brick-and-mortar stores. She also called on the California State Legislature to enact legislation that provides funding assistance to enable small retailers to deploy the modern terminals.

"As banks continue to issue chip cards, retailers should invest in the upgraded point-of-sale terminals and software needed to enable the machines to read the chip. Without these upgrades, consumers will remain vulnerable even when they are using chip cards," Kamala said.

NEXT: U.S. Leads World In Credit Card Fraud

President Obama ordered federal agencies to move to the new payment terminals beginning next year and encouraged agencies to adopt encryption. Solution providers said the deployment of the new chip-enabled terminals could prompt increased spending at retailers looking to add security controls on back-end payment systems and potentially enable hardware encryption to protect data at the time a purchase is made.

The U.S. leads the world in credit card fraud, accounting for approximately 47.3 percent of global card fraud losses and in that same period the U.S. generated only 23.5 percent of the total transactions for goods and services, according to card and mobile payment statistics from The Nilson Report.

Criminals are focusing on the U.S. and in particular conducting counterfeit card fraud as Europe and other markets secured themselves with new chip-enabled terminals, said Bob Reany, group head of authentication product development at MasterCard, one of the major card brands encouraging retailers to move to the new payment terminals by October 2015.

"The U.S. is increasingly becoming one of the last really easy places to commit fraud and because of that it looks very much like something we need to address now," Reany told CRN.

MasterCard and the other brands will shift fraud liability off of the retailer if the equipment is installed and in use by that date. Once the new modern terminals are rolled out and new chip cards are in the hands of consumers, the spending should drive a broader deployment of the new terminals, Reany said.

Security experts warn retailers and solution providers that the modern chip-enabled terminals will not reduce data breaches. Card data is still transferred during a payment and the information can be stolen and used to commit fraud online. Enabling point-to-point encryption or tokenization or eliminating the card data altogether would have a more significant impact, Reany said.

Harris also recommended full-disk encryption on devices that may contain sensitive data including removable media. The study recommends a risk assessment and a regular review of privacy and security policies.

The Attorney General also called on the state legislature to strengthen breach notification rules forcing organizations to place a conspicuous breach notification message and link to a notice page for at least 30 days.