An article in Venturebeat the other day suggested 7 reasons why we are going to continue to see credit card breaches at retailers. First I will share their list, then I will add my own.
Their list includes:
- The PCI standard is failing to protect merchants from breaches
- Merchants are not implementing P2PE
- Retailers introduce new payment hardware (such as tablets) that are neither designed nor tested for security issues in a hazardous retail environment
- Merchants add new features to their payment platforms as patches to already buggy systems.
- Many of the POS systems are still running Windows XP
- Many card breaches lead to Russia. Russian hackers attack American systems as a patriotic move
- EMV is not a silver bullet.
The article goes into more detail on each of these, but these reasons probably are obvious. I don’t disagree with any of these conclusions.
Possibly the biggest reason that we will see continued breaches is that fixing the problem is hard. It requires changes to software, way more testing, replacement of old, outdated platforms and changes to business processes. All of these require time, money and possibly expertise that both brick and mortar and online retailers have not yet prioritized high enough. So, what retailers do is comply with the PCI rules and state laws and leave it at that.
On top of it, no matter what you do, there is no quick fix. You can do many different things and still get hacked. It has been, and likely always will be, a cat and mouse game.
And, the public is quick to forget (although this has not yet worked for Target – they are still struggling a bit), so retailers add a few more patches and call it good.
From the retailer’s perspective, if someone told you to spend an unending bucket-o-cash on a problem without any assurances that the problem will be fixed, what would you do?
Anyone got a silver bullet?