Inside Retailers' Defensive Strategy Against Cyber Attacks

It has been a little more than one year after the first reports of large-scale, costly cyber attacks on American retailers. The impacts of these breaches have been tremendous, wounding public perception and stock prices of reputable brands, in addition to their bottom lines. Although many retailers are easily identified from the headlines, the breadth of the cyber attacks is even larger than what the media has reported.

The National Public Clearinghouse maintains database records of breaches, and a quick search reveals that Albertsons, Dairy Queen and Sally Beauty Supply are just some on a long list of affected merchants. According to the 2014 Trustwave Global Security Report, the retail industry is the top category targeted by electronic payment system criminals, with 35 percent of the attacks.

As a result of the prevalence of payment data breaches, the U.S. Payments Security Task Force (PST), formed in 2014 and comprised of U.S. issuers, acquirers, merchants and payment networks, is actively working to offer recommendations on how to navigate today's challenging and complex environment. 

PST, as well as the Payment Card Industry Security Standards Council (PCI), promotes point-to-point encryption and tokenization as key security technologies to combat electronic payment fraud. These methods secure sensitive credit card data, including the primary account number (PAN). Both methods can be used on their own or in combination, though using both together provides better protection.

With encryption and tokenization in mind, retailers are redesigning their payment systems to fortify against future cyber data attacks. Utilizing both security technologies fosters a multi-layered defensive strategy, thereby improving the security of the entire payment ecosystem.

Point-to-point encryption
With point-to-point encryption, credit card data is encrypted at the moment of swipe with an encryption key. The encrypted data, now called a cryptogram, remains encrypted until it is securely decrypted for payment processing.

A cryptogram can be thought of as an encrypted block of information that looks like random characters such as: "…1E0633C5659D3849CBA3A… ." This once valuable payment data is converted from plaintext into an unintelligible ciphertext.

If a hacker captured this cryptogram, he/she could try to guess the key and decrypt the data, as in the case of a brute force attack. However, the encryption algorithms and keys used today are so complex that a computer dedicated to guessing the password would take years to find the key and crack the cryptogram. It would take so long, in fact, that the card used in that transaction may no longer be active. Once encrypted, then, the sensitive data is nearly useless to an attacker because of the time needed to crack the cryptogram and the low probability that its contents will be of any value.

Tokenization is the process of replacing sensitive credit card data for a random, unique value called a token. Essentially this token is a numeric or alphanumeric substitute that has no value. Tokenization algorithms are such that the value of the token cannot be reversed to achieve the original data.

When the payment transaction is sent to a processor, the processor returns a token to the merchant to use in place of sensitive credit card data. Tokens eliminate the need for merchants to store and protect actual cardholder data, thereby removing valuable account data from their payment ecosystem. The merchant can instead use tokens as needed to handle post-transaction processes, like a refund or return.

Even if an attacker captured the token, he/she would not be able to decode it to determine the original credit card data. In addition, since a token will not be accepted to initiate a payment transaction, the cyber thief cannot use a token to start a new purchase.

Multilayered approach
Point-to-point encryption and tokenization protect sensitive credit card data from a cyber attack by converting valuable card data into encrypted or useless information. Even if the data is captured, a hacker is nearly incapable of restoring the sensitive data to its original state, which effectively combats future credit card fraud.

Ultimately, however, payment security is multi-layered, and no one solution on its own can prevent all attacks. Retailers are wise to research their options and combat payment card fraud with a multilayered, comprehensive solution.

Jennifer Brown is director, integration and secure services, Infinite Peripherals.
This ad will auto-close in 10 seconds