Holiday Shopping: Retailers Owe Us the Gift of Security

Ah, another holiday season, another shopping period fraught with virtual brigands and highwaymen. At least, that’s what it feels like, after retail data breach after retail data breach has led to millions of people’s payment card information being stolen.

Most of the ink being spilled on the subject involves how we as consumers can stay safe both in stores and online, but there’s another part of the equation: the stores themselves.

Oh sure, many of them say that they’re accelerating their efforts to introduce better point-of-sale technologies, while others have put “stringent security controls in place.” But what have they done, really, to make festive season safe again?

Well…I don’t think we really know.

“Retailers face challenges,” said Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center (R-CISC). “Margins are tight, and companies are also often constrained by technology freezes that stop them from making changes at particularly critical times of the year, such as around the holidays.”

 R-CISC is an organization of more than 50 major retail companies including, TJX Companies, Target, JCPenney, Walgreens, Levi Strauss, Gap and Lowe’s. If you notice, some of those names are rather well-known for having been hacked.

The group was organized in 2014, which is the year after the Target breach became the tip of the spear for a widespread retail loot-fest using compromised point-of-sale (PoS) systems. According to Nather, retailers are often condemned “for not going far enough.”

“A good example is EMV, the technology that places chips on credit and debit cards to help avoid counterfeiting,” she said. “Many US retailers are focusing on chip and signature technology, in which a retail clerk still checks a written signature. This contrasts with chip-and-PIN, which is prevalent in Canada and Europe, where a four digit PIN is still required for verification.”

She pointed out that some are trying: In April 2014, Target pledged to spend $100 million on smartcard technology for its payment systems. But here’s the thing—I shop at Target quite a bit. And in different cities, when I travel. It’s handy for things like trash bags and dish soap (not to mention the old-lady swim skirts that I favor while on vacation). I hate paying too much at the locally-owned grocery store for basics, but I hate giving Wal-Mart money even more. Target’s a nice compromise: a blend of frugality and (relatively) ethical corporate citizenship.

Bank of America sent me a handy, shiny new chip card this fall. It’s a card that a nice man at a kiosk at the Amsterdam Schiphol airport had to explain to me how to use properly—dumb Americans, what are you going to do? But here’s what’s infuriating: Despite that Target pledge, and despite the fact that I and many others now carry chip cards in my wallet, I have yet to run across a terminal that makes use of that chip at Target. Or anywhere else, for that matter.

People in the US aren’t very familiar with chip cards and many mistakenly believe that the presence of the chip itself improves their security protections. That of course is simply not true, because it takes two to tango—and so far, retailers haven’t shown up on the dance floor with new PoS machines.

So beware the virtual thieves in the shopping mall woods this holiday season and try to buy with cash. And if you do use a card, try to limit purchases to one card, to minimize exposure. Also, check your statements regularly, perhaps via a real-time mobile app, so you can catch fraud when it happens. Just remember that it’s open season, and keep your wits about you.

Photo © Syda Productions

What’s Hot on Infosecurity Magazine?