Although data security measures should be a major priority in the wake of the numerous large-scale data breaches that have occurred at retailers including Target, The Home Depot and Michaels, many retailers still haven’t taken every effort possible to beef up their payment systems’ protections.
Only half (49%) of retailers have implemented end-to-end encryption (E2EE) into their payment security plan, while 35% have implemented tokenization of payment data, according to a report from Boston Retail Partners.
The report, titled: Beyond EMV: Best Practices for Payment Security, indicated that retailers have, on average, between eight and 16 potential attack points within their authorization and settlement processes that can still be vulnerable to cybercriminals.
Taking action to close these gaps would not only quell many security doubts, but would save money in the event of a later breach. Companies that extensively use encryption and proactive breach response teams reduce their average cost by approximately $19.00 to $23.80 per record compromised.
Additionally, the report recommends retailers strengthen their response teams by hiring a Chief Information Security Officer (CISO). The presence of this type of executive has been shown to reduce per capita costs by $12.20.
The report offered six “quick hit” recommendations for retailers looking to strengthen their security protections:
1. Identify and map current processes that touch sensitive primary account number (PAN) values, including any place where data is encrypted and decrypted in the store;
2. Create a prioritization roadmap for the rollout of security measures across all exposed channels, directed at eliminating any encryption other than initial encryption at the time of credit card swipe or acceptance;
3. Highlight a multi-layered, high-level technological defensive approach;
4. Devise an implementation and communication strategy that fits the individual needs of the business;
5. Invest in a hybrid approach that includes EMV technology, E2EE and tokenization; and
6. Construct a business continuity management plan in the event that a breach does occur, identifying response team roles and responsibilities.