Protecting consumer data from cybercriminals has become a hot topic.
Ever since the major breach of Target’s system in December, which affected 70 million customers and resulted in the recent resignation of CEO Gregg Steinhafel, the vulnerability of personal data has been at top of mind.
As part of the ongoing discussion, Tom Litchford, National Retail Federation vice president for retail technologies, testified in April before a Homeland Security Subcommittee. “The targeted retailers are victims in these situations,” he said.
One area that needs improvement is the outdated method of using a card with a magnetic stripe to make purchases, he added. Much of Europe has already adopted new payment cards — called “chip and PIN” — that combine a computer chip to use the card and then require a customer to enter a PIN to validate authorization.
“The bottom line is that signature and mag-stripe based cards are inherently fraud-prone products,” Litchford testified. “Unfortunately, retailers and our customers are largely at the mercy of the dominant credit card companies when it comes to reducing card fraud.”
Visa and MasterCard have set an October 2015 deadline for retailers to be able to accept chip and PIN cards, and retailers need to be aware as their business software companies plan for the deadline.
The pool and spa industry is getting on board as well.
“We’re already discussing with our payment processor how to go about integrating those new products because it will involve new terminals and so forth,” said Steve Hawkins, software manager and lead developer at Evosus Business Management Software, based in Vancouver, Wash.
After Target’s breach, the mass retailer installed a new credit card processing system that doesn’t transmit any account numbers after the cards are swiped. Instead, when a shopper uses the card, the system transfers a “token” or string of digits associated with the account without storing account information. It’s been rapidly adopted by many retailers and business software producers.
“Even if a hacker would break into our customers’ [systems], there’s nothing they could get but a token, and that token would be useless to them,” said Rick Brunori, president of North Versailles, Pa.-based RB Control Systems. “It wouldn’t represent anything to them, just a series of numbers and letters.”
Neither RB nor Evosus has had retailers report recent security issues.
As for what shoppers know about their stored encrypted information, that depends on the retailer.
“We leave it up to our customers to convey that,” Hawkins said. “But we can communicate to [stores] that their credit card information is encrypted strongly, that all transmission of data is secure from the client PC to the server, and that old card holder data is culled out of the system after a period of time.”
Having been a victim of card information theft himself, Dan Lenz is very concerned about how All Seasons Pools & Spas stores customer information.
“It hits home a bit when you’re affected that way,” he said. “… We certainly want to make sure that our data is secure so that we’re doing the best we can to protect it from happening to others.”
That vigilance is what keeps the vice president of the Chicago area store wearing one of his multiple hats — that of IT technician. With 30 computers, adding the major updates and frequent patches to each terminal takes a lot of time, but he wants to make sure it’s done.
“Having the software is one thing, but maintaining updates to it is another critical part,” Lenz said.