Monday, April 14, 2014

Retailer Data Protections Standards Must Be Changed

            In November, Target was the victim of a record-breaking hack, in which approximately 40 million credit card numbers were stolen.  Malware had been installed in the security and payments system of the large retailer, despite anti-malware tools within the company’s system.  Target, however, is not entirely to blame for this breach of security, as the company had its information system security in accordance with the cyber security standards of the credit card industry.
            In 2006, “Visa, MasterCard, American Express, Discover, and JCB International created the [Payment Card Industry] security council to ward off government oversight of the retail payment systems” (Robertson 1).  The PCI council audits the retail payment systems in order to ensure these systems are in accordance with the council’s standards.  Logically speaking, if a retailer were to pass a audit by this agency their systems should be secure, conversely, accreditation of this council “doesn’t always offer much protection against fraud” (Robertson 1).  Target, for example, had been granted accreditation merely two months prior to its aforementioned hack, which raises a myriad of questions, such as: Is there something wrong with the PCI’s standards?  Why is the PCI in existence if it evidently does not work?  What steps, if any, are being taken to strengthen the standards and audit process?      
            The storing and protection of information has to be the number one concern for every company in this day and age.  There have been many innovations, which aid in the storing of information, however, these innovations have correspondingly led to greater exposure of stored data.  Stronger security measures have been created, but the retail industry within the United States has lagged.  These greater security measures include “authentication chips in cards, point-of-sale data encryption, and secondary ID numbers that substitute for card numbers online” (Robertson 1). 
            The two most effective means of improving security are point-of-sale data encryption and dynamic authentication.  Through point-of-sale encryption, data is safer the moment it enters a retail system, allowing for less exposure to hackers, however, there is “no equivalent for online purchases” (Robertson 1).  More and more individuals are electing to shop online as opposed to entering a store.  A consumer’s credit card information must be encrypted upon its use online in order to protect the customer’s information.  Dynamic authentication is the more effective solution, as the process makes storing the data useless, as “the card can reset its magnetic-strip data with each purchase” (Robertson 1).  The sole con of this method is that transactions become slowed.  Retailers and consumers must accept this, and sacrifice speed for information security.  This method will not only protect credit card data, but eliminate the necessity of storing credit card information due to the fact that it becomes “useless.”  Both the credit card companies and the retail stores must come together to ensure the security of the retail systems, as the information exposed is much to valuable.   The aforementioned means of security, point-of-sale data encryption and dynamic authentication, must become standards of the PCI as it is the sole method of lessening the hacking of retail data that has increased 15 percent since 2012.   

No comments:

Post a Comment