Comments Regarding the Saks/Lord & Taylor Payment Card Data Breach

April 4, 2018         By: Michael Millington

Earlier this week PaymentWeek received commentary on the situation involving the Saks/Lord & Taylor payment card data breach. The following are comments from Ralf Gladis, CEO of Computop, a payment service provider with over 20 years in business.

 

Ralf Gladis – “From what we already know this latest breach at Saks and Lord & Taylor is an interesting one.  Fraud never goes away; it just goes elsewhere.  The online shop was not affected, but the cash registers were.  After the payment industry focused on data security for online shops it has become easier for hackers to now steal data from retail stores.  What can retailers do about this?

The reason why online shops are more secure nowadays is a result of security standards that include many security measures like firewalls and strong encryption of card data.  However, the standard called PCI (Payment Card Industry) is mandatory for most online shops and only very large retail stores.  Unfortunately, it doesn’t appear that Saks and Lord & Taylor were among this group.  Also, many small and medium-sized retail stores are not obligated to secure their data in a proper and standardized way.  It‘s negligent of VISA and MasterCard to not extend the rules to include SME retail stores, and retailers rarely take such effort voluntarily.

On the other hand, VISA and MasterCard also provide the best solution against this kind of data theft: for card terminals and cash registers in retail stores VISA and MasterCard developed a security standard called Point-to-Point-Encryption (P2PE). When retailers use card terminals and payment providers who support P2PE, the card data is heavily encrypted in the card terminal. The merchant‘s cash register would never get to see card data. Only the payment provider would be able to decrypt the card data. The merchant would only get a token or replacement number which is useless for hackers.

This is the newest technology applied in Europe — while the U.S. is still working on getting EMV in place.  However, P2PE solutions are available in the U.S.  At Computop, we already rolled out thousands of P2PE card terminals in the U.S. and Europe mostly for large international retailers, but there is no reason why other retailers, including SME ones, shouldn‘t take advantage of it, too — it‘s not expensive.  Strong encryption and preventing the data to be stored at a retailer is the best available protection for card data at the moment.”