Quick Stats

Quick Stats

    You are here

    How to Achieve Better Data Security

    Looking beyond EMV compliance

    By John Karolefski

    When a shopper used a counterfeit credit card to pay for groceries, the bank issuing the plastic traditionally absorbed the loss. But starting in October 2015, the liability shifted to U.S. retailers; that is, they are now financially responsible for fraudulent transactions. To be prepared, merchants needed to upgrade their POS terminals to accept Europay Mastercard Visa (EMV) cards that have an embedded chip designed to protect consumer data. In some cases, this has not been done yet. The card networks also have a simultaneous role to play, but they reportedly have been slow to fulfill their responsibilities.    

    While the transition gradually takes place, payment terminals that are not EMV-compliant automatically become prime targets for fraud, because they continue to accept cards that rely on the older “magnetic-stripe” processing technology. These stores are easy to find. As an alert shopper, I know which stores in my area of Cleveland accept chip-embedded credit cards and which do not.

    But being EMV-compliant does not protect grocers from data breaches that several major retailers have dealt with in recent years, according to experts I consulted.  

    A different security technology called point-to-point encryption (P2Pe) addresses these threats, according to ECRS, a Boone, N.C.-based provider of retail automation solutions. Ray Steele, executive director of services for ECRS, urges retailers to move to P2Pe because it is the most effective way to ensure that consumers’ credit card data are fully protected. In addition, “an EMV chip-card does not protect you against theft of the card itself, nor does it defend against fraudulent ‘card-not-present’ transactions like internet or telephone purchases.” 

    Bryce Austin, CEO of Minneapolis-based TCE Strategy, says: “Those recent data breaches involved back-end systems that would not have been more secure with EMV cards. The problem that EMV cards solve is that copying a traditional stolen credit card onto a new physical swipe card is something that anyone with a minor amount of technical knowledge and a small amount of money can accomplish. It’s the same technology that hotels use to encode cards for their room keys. EMV cards are much, much more difficult to copy onto a physical card. That being said, with increasing online commerce, including the grocery sector, EMV cards do not make card-not-present transactions more secure.”

    For added security, Austin recommends partnering with a third party, because being PCI (payment card industry)-compliant is similar to building a store to pass a fire code inspection; that is, there are many aspects of separate, unrelated systems that have to be addressed.

    “A third party that has experience with the cybersecurity aspects, the physical security aspects and the processes/procedures of handling credit card information will be a useful ally in achieving PCI compliance,” he says.

    In addition, he recommends reviewing all network settings. Basic cybersecurity best practices will go a long way to make a computer network more resistant to hackers. Reviewing firewall settings, having operating system patching procedures, and implementing strong anti-virus/anti-malware protection will help keep grocers secure, according to Austin.

    “Background checks of the staff are also critically important in the fight against credit card theft –  EMV or otherwise,” he adds.

    Bottom line: While waiting for EMV compliance to be finalized, there is other work to be done for better data security.

    By John Karolefski
    • About John Karolefski John Karolefski is a veteran business journalist with 25 years of experience covering CPG, retail and technology. Over the years, he has edited several trade publications and is the co-author of three books: "TARGET 2000: the Rising Tide of TechnoMarketing," "All about Sampling and Demonstrations," and "Consumer-Centric Category Management." He has appeared on CNN, CBS Radio and BBC Radio to discuss marketing issues. He can be reached at [email protected]

    Related Content

    Related Content