The Year of the Breaches And How The Industry Responded

While it’s not quite faster to list all the retailers and other institutions that haven’t been breached, the list of those who’ve been targets is long and scary. As we look back a year ago, who would have ever thought that the Target breach would be eclipsed – at 40 million cards – by other incidents that would follow over the course of the year. Ten months later, Home Depot saw its system breached in nearly the same way Target’s was, this time with 56 million cards’ worth of data going out the door and up for sale on the black market.

What was interesting, however, was how seemingly immune to security panic the consuming public had become. Target’s breach cost the retailer a 46 percent decline in revenue the quarter after it happened; Home Depot did not see the kind of crippling blow to revenue that Target suffered.

And while Target may have been the “black swan” of the payments industry, at least that how MPD CEO Karen Webster characterized it, Home Depot is now just another entry on the list of big breaches that started last Christmas and continued as the not-so-welcome gift that just kept on giving. And, for the moment, the cybercriminal world seems to have moved on – the latest breaches – are of data (at Sony) instead of payments information. A development that is none too surprising now that card data is getting too tough to obtain – why not just go after customer and account data so that new accounts and cards can be set up that don’t have to be hacked in order to use.

The retail ecosystem still cares about security – deeply – from all corners, but the way the ecosystem has come to view securing data is evolving. Securing consumer information is no longer about simply slapping the best security lock on a POS system and hoping for the best – this year, at least we saw evidence of an awfully large number of ways that the bad guys found ways to pick those locks. Instead, security is now about the best systems that make data unusable – rather than trying to block out the bad guys entirely, the game is to make what they get useless.

PYMNTS spent a lot of 2014 talking to those on the forefront of securing payments online, in the real world, on mobile and at all points in between. These are their best insights.

“What we need to think about is that, first of all, there is no one silver bullet to securing the payments environment.” | Carolyn Balfany, Senior VP, U.S. Product Delivery, MasterCard

 
In one of PYMNTS’ first interviews on data security in 2014, a theme that persisted throughout the year first emerged – there are no easy solutions and there is no single solution to solve the fraud problem. Fraudsters can and will take advantage of any security flaw they can, and the first rule in combatting them according to Balfany is to think as expansively as they do.

“What we need to think about is securing all channels. We need to be employing EMV in a face-to-face environment — terminals in retail locations. We need to be employing it at the ATMs, and we need to be employing other tech and security measures as we think also about the card-not-present channel,” Balfany told MPD CEO Karen Webster in an interview.

EMV is a step in solving the problem, she noted, as is tokenization and a variety of other means – but most centrally mounting an effective defense will be deploying solutions in tandem and broadly.

“One of the things that we’ve discovered over the course of the last several years is that cybercrime is organized – it’s well conducted and well thought through. That’s now led to larger breaches, better ability to exploit the breach and commit more amounts of fraud in smaller periods of time.” | Drew Luca, Partner and Co-lead of U.S. Payments Practice, PwC

 
Cyber-criminals are not a band of disorganized rabble rousers, Luca told PYMNTS. Rather, they are organized criminals undertaking a business they take seriously – after all it is how they make their living. And that business is going to evolve around and past any solution that seeks to disrupt it.

“The reality is, as a better lock is built, a better lock pick comes onto the marketplace. Part of that comes from security that’s been bolted onto the back of a solution that wasn’t originally envisioned in that manner.”

Luca was a security pessimist, noting that the security infrastructure used to secure payments needs a redesign from the ground up – and within that redesign, there is room to create systems that employ a variety of solutions from the security tool box – including EMV, tokenization, P2P among other things. That day, however, he thinks is still far away, and that until then the goal is detecting and minimizing the effect of organized security breaches.

In terms of understanding how tokenization really works, I don’t believe (sic) consumers are there. It will be up to the networks, the issuers, to educate our customers as these abilities come. | Shannon Johnson, SVP Head of Checking & Payments, SunTrust

 
In November of 2014, about two months after tokenization became a household word thanks to the launch of Apple Pay (and its much lauded security protocols) MPD CEO Karen Webster sat down with Johnson and Matt Barr, Group Head, US Emerging Payments at MasterCard, to talk tokens and how they will transform payments. Specifically customer experience, security, and ubiquity which Barr referred to as the “holy trinity” of payments.

“Tokenization and what’s been introduced through the MasterCard Digital Enablement Service is, we think, very transformational. The end-goal as we see it is that tokenization goes as far as saying that the only place you’ll see a traditional PAN in the future is on a plastic card. Every MasterCard transaction through any channel will eventually be conducted through the use of tokens.”

Key to building the new, tokenized world is consumer education. That education, according to Barr and Johnson will need to be broad, need to fold in EMV (a important foundational technology) and need to bring along both the merchants and consumers who will have to make the change.

“We probably can’t prevent these attacks 100 percent of the time, but we can certainly do a lot better than what we’re doing now. The reason I say this is that all of the information and technologies available are not necessarily being put to use when it comes to authentication systems.” | Revathi Subramanian, Senior Vice President, Data Science at CA Technologies

 
There is hope when it comes to security, according to CA Tech’s Subramanian, but for that hope to be realized, institutions across the board need to get better at using the tools they already have. Simple things, she pointed out, the lack of use of something like two-factor authentication in her conversation with Karen Webster earlier this year, make a big difference.

Also a potential game changer? The use of data, particularly in spotting breach activities.

“All of the information that flows through in terms of cyber-security is not being used intelligently to determine the problematic break-ins. And in gray areas where there is high suspicion that something is going wrong, potential fraudsters should be put through an additional hoop so data is harder for them to get to. Those techniques will really have a huge impact in the security space.”

“Consumers have a relationship with their card issuer, and while they do have a transactional relationship with the merchant, it’s a completely different type of relationship. Cardholders blame merchants for the compromise of their data, but they expect their card issuer to fix it for them.” | Jonathan Hancock, Director of Fraud Management Solutions, TSYS

 
Consumers may blame retailers when their data gets boosted, but they tend to look to their card issuers to make everything alright. Given the difference in relationship, that makes sense to Hancock, but does mean that issuers need to think carefully about how they approach potential customers when it comes to data.

“People generally feel that their bank has the ability to cover the cost of any fraud associated with the merchant breach, and they expect any losses to be refunded by their issuer or bank. Our survey revealed that consumers would even go so far as to change their bank or issuer for better security against fraud – quite a clear message to issuers on how they can differentiate themselves within the industry.”

And the best way for issuers to reach those consumers?  Education, authentication and empowerment.  As it turns out, consumers want to be a part of the solution when it comes to preventing fraud, but issuers need to give them the tools to do so.

“Token’ is a very broad term, like ‘Wallet,’ that is often used by different people to describe many completely different things. A lot of times when an acquirer says to a merchant ‘we’ll hold all card information & give you a reference number’ that’s also often referred to as a token. People think it’s a reference number as opposed to a highly-secure, fully functional, and unique device-based account number.” | Ed McLaughlin, MasterCard’s Chief of Emerging Payments

 
When is a token not a token? When it’s a digital identity. That’s the approach that MasterCard has taken to  develop its digital identity system, MDES (MasterCard Digital Enablement System).  McLaughlin says that the problem with the token conversation today is that it misses the huge part it will play in redefining how commerce as we know it, will happen worldwide.

“With our digital enablement system, we provide a unique account number for the device that’s bound to that device. We can control how it’s being used once the issuer has authorized that they wish that consumer and that device to have a token, to block illegitimate use of the account. Secondly, when that number is provisioned and put into the device, every transaction that is done with that device has a one-time code that is generated, securely,” McLaughlin told MPD CEO Karen Webster in an interview shortly after Apple Pay launched.

Tokens as digital identity, he says is how the ecosystem will move beyond a world where a device – a plastic card or a mobile phone – defines the payments system to one where a payments system makes any device that much more useful– and secure for conducting commerce.

“Awareness is key to turning the tide against account takeover fraud. Again, surveillance is so insidious because it often goes undetected, yet it is a critical part of a fraudster’s scheme that allows him to conduct the clean fraud that’s so prevalent today.” | John Sarreal, Senior Director of Product Management at 41st Parameter

 
“Clean fraud,” – where thieves obtain legitimate identities of users from the black market or data breaches to compromise a victim’s card account – is on the rise and malware is getting smarter and more sophisticated both in the mobile and non-mobile space. The solution? Once again Sarreal notes there is no one solution, but surveillance is part of the package when it comes to beating back cybercriminals.

Because while institutions can lock down account incredibly tightly with authentication methods, those tend to scare off consumers.

“The most overlooked aspect of account takeover is the tendency to over-correct and install so many controls that authenticating your systems becomes a nightmare for the customer. By not considering the customer experience trade-offs, an institution can potentially give up their repeat customers or lose business by not making that customer experience as friction-less as it can be.”

Vigilance, on the other hand, happens outside the customers’ experience, and instead looks for usage patterns that shouldn’t exist.

“The best fraud prevention strategy acknowledges account takeover as the threat that it is and puts protection sensors of various places in their online estate.”

“P2PE encrypts any card or payments device – no matter if it’s an EMV chip, a swipe card, a keyed-in card, a pay stub – right before the device goes into the point of sale. But all three of these technologies need to be in place for the payments security 2.0 landscape that we’re all heading towards.” | Ruston Miles, Chief of Product Innovation, Bluefin

 
In March of 2014, secure payment technology firm Bluefin crossed a milestone, it became the first company in the U.S. to receive PCI validation for a point-to-point encryption (P2PE) solution. P2PE encrypts payments data on its journey from the point of interaction (e.g. swipe, tap, dip) until it reaches the solution’s provider’s point of safe decryption.

It’s an important part of the payments solution, though Miles notes that P2PE is really most effective when it is understood as part of the “trifecta” of payments security with EMV and tokenization.

“What we need to focus on is the entire process not on one specific card type, which is the chip,” said Miles. “That’s where point-to-point encryption can protect against hacks.”

While it might be optimistic to hope that the world’s online criminals will take up another business in 2015, more likely than not, they won’t. However, those tasked with locking them out are also becoming increasingly sophisticated, as are consumer themselves, who’ve been breached a few times.

The question for 2015 is whether that will be enough – or will 2015 be a year in which 2014’s security woes look tame? We’re hoping that enough of the former happens to make it harder for the latter to be realized.