Cyber security experts say retailers, not consumers, bear most losses in data breaches. But there are ways to protect yourself just in case:
— Check your credit or debit card statements frequently and flag the issuer immediately of any unfamiliar charges.
— Use credit or debit cards that require a PIN for authentication. Store clerks can’t tell if a signature is faked.
— Use numerals, capital letters or symbols in passwords shared with retailers. The more cumbersome a password, the more difficult it is to replicate.
In what appears to be a banner year for security breaches, including a spring attack against Atlanta-based Home Depot, metro businesses are on high alert to keep customer data safe in the waning days of the holiday shopping rush.
To prevent criminals from picking your cyber pocket, companies are using new ways to scramble customer information to keep it secure, while also deploying more secure payment readers. Some are using technology that breaks up data and then restores it at later points in the transaction process.
It’s an important effort for retailers, who saw sales at brick-and-mortar stores slide 11 percent during Black Friday last month, one of the most important shopping days of the year.
While online sales picked up some of the slack, consumer spending during the November-December period is critical because it makes up almost 20 percent or more of annual sales.
The new steps will be largely invisible to consumers, who are being wooed with new technology such as Google Wallet and Apple Pay that makes check-out quicker, not slower. But there is also discussion of enhanced-security credit cards that will require a PIN number to use.
Cyber criminals are not slowing down. Office supplies leader Staples said last week that data thieves stole more than 1 million credit and debit card numbers between April and September this year.
And the recent, much-publicized hacking of Sony demonstrated that a break-in can affect both a company’s bottom line and its image.
“You can think of this as an arms race,” Aaron Press, director of retail, ecommerce and payments for LexisNexis Risk Solutions. “There has definitely been an increase in fraud in volume and sophistication. At the same time you see merchants increasing their efforts to stop fraud.”
Atlanta-based Chick-fil-A said it delayed the recent roll-out of a mobile payment option on its phone apps in order to triple check security.
“Mobile pay security is critically important,” spokesman Mark Baldwin said. “We do not store credit card data in the app. Instead, we partnered with a leading industry payment processor to keep data safe, which makes using mobile pay equally as secure as using your credit card.”
Meanwhile, Home Depot is banking that its new enhanced encryption, which “takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers,” will help it keep cyber theives at bay.
The home improvement giant announced in September that it had been hacked earlier in the spring, netting thieves 56 million credit and debit card numbers. The company later said thieves also stole 53 million email addresses.
Atlanta-based gas and convenience chain RaceTrac said it is using industry-specific security provided by pump manufacturers to head off threats to customers.
“Data theft is pervasive … we are constantly working with financial institutions, credit card companies and law enforcement to evaluate and update our security measures,” spokeswoman Ashleigh Womack said.
Security experts said it’s likely some retailers have already been hacked. While some thieves have a “grab and go” mentality, others lay low and hanging around for months after infiltrating a system.
That has put a lot of pressure and millions in costs on the backs of retailers to try to protect themselves at the cash register, online and on mobile devices.
“The cost of mounting an attack has changed in favor of the criminal,” said Mark Bower, vice president of product management at Calif.-based Voltage Security.
Retailers could cut their exposure by requiring consumers to do more to verify who they are. But that can slow down transactions and annoy buyers.
The Retail Industry Leaders Association earlier this year launched a resource center to share information on malware, suspect IT addresses or other attack details. The group is pushing banks to issue chip-and-PIN credit cards that require PINs and not just signatures, a move the group said many in the banking industry oppose.
“We have to make it such that when the cards are used there is nothing that the cyber criminals can get from them,” said Andrew Szente, RILA’s vice president of government affairs.
A few banks and retailers, including JPMorgan Chase and Target, have said they plan to issue chip-and-PIN cards.
Other experts back a layered approach. Charles Hoff, chief executive officer of PCI University, an organization that helps businesses comply with credit security regulations, said protecting IT systems is just one part of tightening cyber security. He said others include training employees to protect important information on laptops and recognize that franchisees or vendors can be back doors for cyber thieves.
“We’re seeing more sensitivity, but we’re not there yet,” he said.
