Data security has now risen to the top of the heap of conversations in and around the retail industry.
Undoubtedly, security breaches were not the planned topic of discussion for most retailers and solution providers during the 2014 NRF Big Show, but there was no way to avoid the topic.
Target, Neiman Marcus, and Michaels all have had customer data compromised within the past three months — and there are more to come, as warned by the FBI and all industry experts interviewed for this report.
“The rumor mill says there could be six more” breaches on the way, according to Paula Rosenblum, Principal Analyst at Retail Systems Research.
Industry Groups Recommit To Data Security
Not surprisingly, retailers and industry associations are recommitting to a focus on data security. The National Retail Federation (NRF) and the Retail Industry Leaders Association (RILA) both issued letters and statements urging the industry to take measures necessary to better safeguard consumers’ data.
Additionally, Target is investing $5 million in a new cyber security alliance with the National Cyber Security Alliance, the Better Business Bureau and the National Cyber-Forensics and Training Alliance.
NRF President and CEO Matthew Shay issued a challenge to Congress, focusing on support of “Pin and Chip” technology, federal cybersecurity law and the development of one uniform federal breach notification law. Shay challenged banks and card issuers to help move the industry forward. RILA supports some of the same initiatives and further stresses the importance of eliminating the mag-stripe card and establishing more comprehensive guidelines for protecting consumer data collected by retailers.
With more breaches expected, the industry must be diligent about data security. But retailers can’t shutter all stores and they need to continue to advance their businesses to stay competitive.
The question for retailers looking to move forward is:
How will the recent security issues affect top-of-the-agenda innovative technology implementations? And, is EMV the answer?
First, we need to evaluate the current level of comprehension among retailers and consumers regarding security breaches, EMV, NFC and mobile payment. (For clarification, EMV is defined as a global standard for credit and debit payment cards based on chip card technology.) Although the term “EMV” is connected with the idea of “security,” EMV could not have prevented the recent breaches.
To clarify and refocus, Morris described the recent security issues as “data thefts” instead of “data breaches.” He explained: “The common enemies here are the data thieves. Cybercriminals illegally broke into store payment systems and stole consumer payment credentials. EMV is a part of the solution but it is not a ‘silver bullet.’ EMV must be deployed along with point-to-point encryption in order to ensure that no payment data from in-store payment transactions is available for cybercriminals to hack.”
Additionally, consumers have not been well-educated about EMV. “The average non-technical consumers do not understand EMV and they would also not really understand how EMV would have been helpful with these breaches,” said Brad Fick, President of Direct Source. “The bottom line is that the consumers are not happy that retailers do not have proper security to keep their credit card information protected. They don’t care about the technical aspects of the breaches.”
Next Step: Address Both Security And Payment Innovation With New Solutions
Gary Schwartz, CEO of Impact Mobile and Chair Emeritus MEF NA & IAB Mobile, challenges retailers to move the innovation needle: “The question I would pose to a retailer is, whether they should focus on their incumbent payment systems or view security concerns and the pressure from the consumer to be more user friendly at POS as an opportunity to reinvent their store payment process?”
Retailers opting for the latter will be making the investment to upgrade outdated legacy POS systems in favor of solutions that will address all the necessary security elements: PCI DSS, EMV, NFC and more.
But that’s easier said than done, with the push-and-pull continuing between merchants and card issuers Visa and MasterCard. Most recently, retailers won the legal right to expose hidden bank fees to their customers to encourage consumers to make more educated choices about payment methods. But the $5.7 billion settlement between Visa and MasterCard and U.S. merchants was criticized by retailers and the NRF. “The settlement rewards the perpetrators and traps the victims,” said Andrew Celli, an attorney representing the NRF.
Now, with EMV liability shifts on the horizon for October 2015, Visa and MasterCard can expect push-back from the merchant community. Additionally, other factors are affecting the efficacy of EMV, according to Morris. He explained:
- “There are open issues to resolve regarding how EMV will support the ability for merchants to route debit transactions to their network of choice, which is a right provided to them by law under the Durbin Amendment. As a result, retailers still do not have the full technical requirements for how to properly deploy EMV.
- “There is a significant amount of testing and certification that must be done by retailers working with their acquirer processors and the payment networks — and with many merchants needing to complete this process within the same deadline, there will be a logjam for resources.
- “This is an extremely expensive project for retailers, especially those who may not have planned to change out their POS hardware until further into the future.
- “Banks must also issue EMV cards so that consumers have them in their wallets to use in stores, and this is happening quite slowly. Even retailers motivated to complete the migration face a large number of hurdles to putting EMV payments into their stores — it’s a very challenging business case.”
The Impact On Other Retail Innovations
With a hyperfocus now directed toward data security, will some other technology implementations, such as beacons, take a back seat? The experts are divided.
“I think there were going to be issues with beacon technology anyway,” Rosenblum stated. “The same anxiety that caused so much consternation over the Target breach (vs. the ho-hum response to the TJX breach in 2007) is going to be a deterrent to beaconing technology. I don’t see it going up the list. If anything, I see it going down the list.” But, fresh from a Bitcoin event in Miami, Rosenblum is bullish on the potential for the digital currency. The recent data security concerns “may drive the U.S. to wrap some regulations around Bitcoin so it can be used as a viable consumer form of payment. It’s very secure.”
Morris is more optimistic about beacon implementations. “It is my belief that Bluetooth LE — or beacons — is the new technology that will have the most significant impact on physical retail in 2014. The use cases for BLE are mostly driven by marketing with a business case based on driving top-line sales. Although it’s always true that IT resources are scarce, I really don’t expect that security issues related to the recent data thefts will be any kind of meaningful hindrance to the momentum for BLE deployments.”
Fick agreed. “Regarding iBeacon technology, I think that it will stay the course regarding implementations, and retailers will move forward at the project pace that they have planned today. Mobile payments and POS updates are both gaining traction in 2014 and frankly they started the planning in 2013.”
Schwartz said the industry should be looking at other types of innovations, such as: “wireless self-profiling, and location-based and permission-based marketing and commerce. These initiatives are more relevant to the store of the future than EMV.”
It will be interesting to watch this convergence of security and innovation, as retail moves through 2014.
For more on the recent data breaches, click here to read a Q&A article with two industry experts, titled: Financial Analysts Share Insights On Recent Data Security Breaches.