Cyber Security Critical for Independents

Scared, but no longer running away. That’s the general reaction of retailer attendees to various technology topics addressed at the 2015 NGA Show in Las Vegas, which wrapped up yesterday. While presentations included competitive game-changers such as mobile analytics, e-commerce and digital marketing, it was a presentation on cyber security that forced into light a startling truth: without security, technology doesn’t matter. Without security, you may be out of business.

“Cyber Security – A National Perspective,” featured Paul Kleinschnitz, SVP – GM, Cyber Security Solutions for First Data, who shared the increasingly harmful impact of cyber attacks on businesses of all sizes.

Following Kleinschnitz’s overview, a panel including Paul Doty, director of information technology at Sendik’s Food Markets, Milwaukee; Ray Sprinkle, president and CEO, URM Stores, Spokane, Wash.; and Ken Grogan, manager of treasury services, Wakefern, discussed security from their on-the-ground positions.

Kleinschnitz pointed to the Target breach of 2013 as a pivotal moment in cyber security. That breach became personal for millions of consumers. It also marked a turning point for small business owners, who, with increasing awareness, understood that security was a problem they needed to address as well. Cyber security is no longer an issue just for big corporations; 90 percent of breaches target small business owners, and attacks are increasing, says Kleinschnitz.

Criminal activity is increasing malware, or malicious software. Criminals are most likely located outside the United States and are well-trained in operating what essentially is affordable software – bottom line, it’s an easy, affordable, low-risk way of making a tremendous profit.  

Crime in action

The most prevalent weakness, and that experienced by Target, begins when a customer’s credit card is scanned. According to First Data, there are two points in the payment process where sensitive cardholder data is at risk of being exposed or stolen:

1. Pre-authorization – When the merchant has captured a consumer’s data and it's being sent or waiting to be sent to the acquirer/processor.

2. Post-authorization – When cardholder data has been sent back to the merchant with the authorization response from the acquirer/processor, and it's placed into some form of storage in the merchant environment. It’s at that in-between stage, where the data has been captured and it’s waiting to be received, that malware grabs the data and runs with it.

Fighting crime

First Data’s TransArmor Solution is designed to offer small business owners critical layers of protection. A key component is encryption with random-number tokenization, which means that personal information is never exchanged, as the token number replaces the cardholder data. The PCI-DSS- (Payment Card Industry Data Security Standard) compliant solution also includes audit, software and hardware monitors of POS systems, a liability waiver, and support experts.

Ray Sprinkle of URM likened being made aware of the 2013 breach to his company being hit by a two-by-four. The Northwest-based co-op food distributor and payment processor serves more than 300 stores, but determined that 67 stores in Washington, Idaho, Oregon and Montana were exposed by the breach. Federal authorities notified Sprinkle that URM stores were a “common point of purchase” for stolen credit card data. His company has adopted extensive security measures since then, and he cautions others in the industry to avoid what URM endured. As with any disaster, there needs to be a plan in place, which includes public relations, legal counsel, internal communications, and should be supported with practice and role play. Cardholder information isn’t the only valuable information companies hold, the panel cautions, there’s also employee records and pharmacy data, for example.  

In a rare light moment on the topic, Sendik’s Doty, who is ISA cyber security-certified, quipped that one of the biggest fears is the proliferation in the arena of retail security of TLA – three letter acronyms.