The cybersecurity firm Gemini Advisory recently announced a large-scale data breach at Saks Fifth Avenue and its sister company Lord & Taylor, compromising 5 million credit cards. While the forensic investigation is still under way, it appears that the breach was likely caused by malware on the parent company’s point-of-sale systems, took place over the course of almost a year, and was only discovered when hackers began peddling slices of the stolen data on the dark Web.
Within a week, Best Buy, Sears, and Delta Air Lines announced that customer data had been compromised from a different hack. And more recently, Brinker International, parent company of Chili’s Bar & Grill, announced that an incident at some of its restaurants may have resulted in unauthorized access to, or acquisition of, credit and debit card data.
While hacked retailers get off with little more than an obligatory apology, millions of consumers are once again anxiously scanning their financial statements for signs of fraud and their banks are obliged to refund their losses. More must be done to ensure retailers use the latest technologies to protect consumers’ data.
Hackers are only becoming more sophisticated, which means retailers must adequately invest in the resources necessary to combat these breaches. To date, they have been mired in 20th-century thinking and penny-pinching tactics, which have allowed hackers to run circles around them. Retailers cannot afford to be behind the eight ball any longer. To protect consumers, the entire payments system must be one step ahead.
EMV chip card technology has proven to be highly useful in preventing fraud, and yet still some retailers have fought this technology tooth and nail. According to Gemini Advisory, “This recent breach once again emphasizes the importance of a transition to the more secure EMV POS terminals in retail operations. Although many large retailers managed to migrate entirely from older generation mag-stripe terminals to EMV in 2017, several nationwide chains still have not done so.”
While retailers enjoy a more relaxed, almost nonexistent, regulatory environment compared to their counterparts in the financial-services industry (which are subject to strict data-security standards, requirements, supervision, and examination), they shouldn’t engage in a race to the bottom on cybersecurity standards. Until retailers are subject to similar security regulations to those governing banks and are required to protect consumer data in a similarly stringent manner, they should take more responsibility for the enormous amount of data in their hands by staying on top of the latest advances in consumer protection.
This means not only starting with EMV chip readers, but also contactless payment terminals as well, which enable customers to pay by tapping their card. Security continues to evolve, and there will be additional innovations in encryption, biometrics, and tokenization to protect customer data in the future. Retailers need to commit to doing right by the people who patronize their stores.
If retailers need any more incentive to do the right thing, they should consider the enormous ripple effect that takes place in the wake of their massive breaches. Not only do banks shoulder the cost of issuing new cards to every affected individual, but consumers may be hesitant to swipe their cards at Saks and Lord & Taylor stores in the future. Additionally, consumers will face the disruption that accompanies the issuance of new credit cards, including complications with routine daily or recurring purchases.
Customers are fed up with the anxiety and inconvenience of these breaches. Retailers should take heed of these warning signs and put the protection of their customers before profits.
—Aaron Stetter is executive vice president for policy and political operations for the Independent Community Bankers of America, Washington, D.C.