American shoppers are paying in just about any way they can, from tapping their phones on terminals to smiling at cameras and waving over readers. Millennials – the largest group of consumers – are especially notorious with this, sporting the highest level of payment diversification of all age groups. For that reason, retailers today are accepting payments in a plethora of ways: cash, cards, ACH, BNPL – you name it. With such an omnichannel approach to payments, however, they are also exposing themselves to new risks.
Let’s look back to the Target and Home Depot breaches, from 2013 and 2014, respectively. In both instances, hackers were able to remotely install malware within the stores’ payment devices and networks to siphon off clear-text credit card data.
The breach ended up costing Target $300 million, and Home Depot $179 million. That’s besides the damage to their brands, as the incidents have headlined papers for years since. While these are examples of some of the biggest breaches in US history, they also highlight the threat that retailers open themselves up to with omnichannel payments.
“Just one breach can cost merchants millions of dollars to resolve, not to mention significantly damage the company’s reputation among customers. No comprehensive payments experience is complete without a comprehensive payment security strategy,” Ruston Miles, founder and advisor at Bluefin, told Tearsheet.
The risk retailers are looking at with omnichannel payments
An omnichannel payment system essentially describes a system that accepts payments through multiple channels – like a website, mobile app, and in-store, for example – such that it creates a seamless experience for consumers as they switch between them. In effect, this looks like a pay online and pick up from store service that many retailers are offering today.
While the age-old methods of fraud like identity theft and phishing pose risks here too, let’s first deal with the specific threats omnichannel payments come with. Card testing is one of them, where crooks use stolen card details to make small purchases that would go unnoticed, to see if the card’s still active. Stolen cards are readily available on the dark web, but oftentimes users block their cards as soon as they go missing or there’s a fear of the credentials being stolen. So thieves test cards to see if a stolen card is usable, and if it is, then bigger purchases can be made.
There’s also cross-channel fraud, whereby criminals may purchase something online with a stolen card, and immediately go pick it up in person. By doing this, they cut down delivery time, giving the owner of the card less time to block their card. Another way fraudsters misuse cross-channel methods is through a return fraud scheme. They may order something online, use it or pull out some of its parts, and use another channel, like in-store, to return the product for a refund. By changing channels, they can often successfully dodge screening processes.
Now let’s move on to the more high-tech stuff: hacking. Cyberattacks have also become much more sophisticated over the years. Hackers are no longer only targeting payment data, but also personally identifiable information (PII) and protected health information (PHI). PII and PHI can be resold on the dark web at a much higher price than payment card data and can be used for more lucrative types of fraud, such as identity theft. Retailers accepting digital and card payments have extremely sensitive customer data in their backends – data that needs to be protected.
“Hackers have expanded their threat vectors from simple malware in payment devices to compromising employee or vendor credentials, phishing and smishing, and taking advantage of third-party software vulnerabilities – all with the ultimate goal of getting into your system or network,” Miles said.
Once in, hackers can deploy a variety of malware to locate clear-text, payment, PHI and PII, to compromise and monetize. Or they can go a step further and launch a ransomware attack. In ransomware, they can then encrypt a retailer’s files, with decryption only happening upon ransom payout. In case the files have been backed up and there is no need to pay the ransom, hackers could then threaten to release sensitive data to the dark web, if it has not been masked with encryption or tokenization.
Devaluing sensitive customer data with encryption and tokenization
“The COVID-19 pandemic necessitated online and mobile purchases, so you have seen more consumer comfort in not only payment for goods online and through phones, but also entering PHI and PII through these channels. Now, a retailer could have five payment and data endpoints – the POS, e-commerce, mobile, call center, and even an unattended kiosk,” Miles pointed out.
With more payment touchpoints, retailers also increase the attack vector surface, and hackers find more opportunities for cyber-penetration. Companies with unsecured channels – i.e data traveling through the channels unencrypted and untokenized – are opening themselves up to high costs and brand damage in case of a breach.
So, merchants offering omnichannel payments need to make sure they have their bases covered with a security strategy that addresses all the different endpoints available to hackers.
A comprehensive payment security strategy would be one that includes a combination of encryption and tokenization to protect data, both in transit and at rest. This approach devalues data so that in the event of a breach, hackers are not able to compromise sensitive info like credit card numbers or email addresses.
Tokenization and encryption, in combination, are essential to devaluing payment data. When a consumer makes a purchase, their financial information is moving between the payment processor, bank, and merchant. An encrypted system makes sure that it is not the actual credit card numbers, for example, that are moving about but rather tokens that have replaced the actual numbers. Merchants and banks are then able to decode these tokens and authenticate the purchase.
Encryption and tokenization devalues the data. What hackers are really after are consumers’ credit or debit card numbers, and thus direct access to their funds. Encrypted data is worthless to them. Even if they manage to intercept the data in transit, they do not get their hands on any sensitive data.
This got me wondering how payment security burden is distributed among retailers, payment processors, and banks.
“The scope of responsibility for security compliance is the subject of much time, money and consulting, which is a nice way of saying, ‘it depends, and retailers may wish to seek guidance on this point.’ Any party that touches cardholder data is responsible for its safety, whether the entity is the payment processor, a third-party vendor, or the retailer. And, the retailer is further responsible for formally listing all processors and third-party vendors that store, transmit or process cardholder data on their behalf and confirming PCI DSS Compliance for each annually,” Miles told me.
As the world uses increasingly varied ways of paying, retailers understand that lagging in adoption could be costly. Now, it’s time for them to also recognize and manage the risks that come with this adoption.
You must be logged in the post a comment.
Tearsheet is the only media company obsessively focused on technology’s impact on the financial services and fintech industry. Read by decision makers across product, marketing, and digital, Tearsheet connects with its audience across web, email, podcasts, the Outlier membership program and in-person events.