How to Achieve Better Data Security

When a shopper used a counterfeit credit card to pay for groceries, the bank issuing the plastic traditionally absorbed the loss. But starting in October 2015, the liability shifted to U.S. retailers; that is, they are now financially responsible for fraudulent transactions. To be prepared, merchants needed to upgrade their POS terminals to accept Europay Mastercard Visa (EMV) cards that have an embedded chip designed to protect consumer data. In some cases, this has not been done yet. The card networks also have a simultaneous role to play, but they reportedly have been slow to fulfill their responsibilities.    

While the transition gradually takes place, payment terminals that are not EMV-compliant automatically become prime targets for fraud, because they continue to accept cards that rely on the older “magnetic-stripe” processing technology. These stores are easy to find. As an alert shopper, I know which stores in my area of Cleveland accept chip-embedded credit cards and which do not.

But being EMV-compliant does not protect grocers from data breaches that several major retailers have dealt with in recent years, according to experts I consulted.  

A different security technology called point-to-point encryption (P2Pe) addresses these threats, according to ECRS, a Boone, N.C.-based provider of retail automation solutions. Ray Steele, executive director of services for ECRS, urges retailers to move to P2Pe because it is the most effective way to ensure that consumers’ credit card data are fully protected. In addition, “an EMV chip-card does not protect you against theft of the card itself, nor does it defend against fraudulent ‘card-not-present’ transactions like internet or telephone purchases.” 

Bryce Austin, CEO of Minneapolis-based TCE Strategy, says: “Those recent data breaches involved back-end systems that would not have been more secure with EMV cards. The problem that EMV cards solve is that copying a traditional stolen credit card onto a new physical swipe card is something that anyone with a minor amount of technical knowledge and a small amount of money can accomplish. It’s the same technology that hotels use to encode cards for their room keys. EMV cards are much, much more difficult to copy onto a physical card. That being said, with increasing online commerce, including the grocery sector, EMV cards do not make card-not-present transactions more secure.”

For added security, Austin recommends partnering with a third party, because being PCI (payment card industry)-compliant is similar to building a store to pass a fire code inspection; that is, there are many aspects of separate, unrelated systems that have to be addressed.

“A third party that has experience with the cybersecurity aspects, the physical security aspects and the processes/procedures of handling credit card information will be a useful ally in achieving PCI compliance,” he says.

In addition, he recommends reviewing all network settings. Basic cybersecurity best practices will go a long way to make a computer network more resistant to hackers. Reviewing firewall settings, having operating system patching procedures, and implementing strong anti-virus/anti-malware protection will help keep grocers secure, according to Austin.

“Background checks of the staff are also critically important in the fight against credit card theft –  EMV or otherwise,” he adds.

Bottom line: While waiting for EMV compliance to be finalized, there is other work to be done for better data security.