The National Retail Federation and Forrester’s report, The State of Retail Payments 2016, finds that 93% of the 59 North American retailers surveyed said they expect to have point-to-point encryption (P2PE) implemented by the end of 2017. Read Bryan Pearson for Forbes on the report.
There was a time when the most challenging job of a retailer was inventory management. Thanks to the emergence of various payment technologies, that white whale may soon be replaced with risk management.
As retailers test and adopt more payment technologies, such as mobile wallets, they are facing a more acute need to protect their customers’ data. Fraud costs U.S. retailers roughly $32 billion in 2014, up from $23 billion n 2013, according to Business Insider.
Leading the precautionary measures are much-talked-about chip credit cards (EMV), which require special hardware at the register. Three-quarters of surveyed retailers put EMV implementation among their top three payment-related challenges this year, according to the report “The State of Retail Payments 2016,” from the National Retail Federation and Forrester. Eighty-six percent plan to be EMV-ready in 2016.
Yet along with the rush to get this technology installed, retailers also are investing heavily in other ways to protect their data, according to the report.
“In recent years, retailers have honed their payments focus on security and fraud, while innovating in growing payment-related areas,” the report states. “Retailers are keenly aware that the stakes are high for fraud and security.”
Interested in knowing how your data is being protected? Following are three ways retailers said they plan to protect their customers’ data through 2017.
Ninety-three percent of the 59 North American retailers surveyed said they expect to have point-to-point encryption (P2PE) up and working by the end of 2017. Think of P2PE as the Cloak of Invisibility used in the Harry Potter stories. It conceals the credit card data from the moment it enters a payment portal, so it is encrypted before even being sent to the service provider.
“P2PE protects card data while in transit between the merchant and its processor, making it nearly impossible for hackers to skim the actual, usable card data while it is in transit,” the report states. P2PE protects data collected both in stores and from online retailers. Cabela’s, the outdoors activities chain known for large stores with elaborate displays, is among retailers that have implemented P2PE to protect customer card data.
Tokenization beyond a symbolic gesture
Six in 10 of the retailers surveyed (61%) expect to put multichannel tokenization into practice by the end of 2017. Tokenization, a technology that first caused a lot of buzz in 2014, is the practice of substituting sensitive customer data with a benign equivalent of identification symbols. “Tokenization protects cardholder data that is at rest in a retailer’s or vendor’s system by replacing the real 16-digit card number with another 16-digit reference number, thereby making it useless to a hacker,” the report explains.
Thus protected, the data can be safely referenced across multiple point-of-sale or e-commerce systems. When combined with P2PE, tokenization diminishes the risk of cardholder data being breached if a retailer’s systems are broken into. Further, because it is designed to minimize the amount of data a retailer needs on hand, it has become popular among small and mid-sized merchants seeking to boost security. For example, Casper, a startup online mattress retailer, turned to Braintree, a provider of tokenization services, to process its very first transaction.
Near-field communications are nearer
Half of the retailers surveyed said they would have near-field communications (NFC) in place by the end of 2016. An additional 22% plan to have it ready by the end of 2017. NFC enables two devices to communicate with each when at close range, making it especially relevant for mobile payments. Android, Windows and newer iPhone models (iPhone 6 as well as the Apple Watch) all include NFC technology.
Simply put, NFC enables shoppers to pay at the register by phone or other device, which in turn simplifies the checkout experience. And, as retailers know, seamless is better. “Many merchants are choosing to enable NFC acceptance when they upgrade to EMV-ready POS terminals,” the report states. But there’s no reason to limit NFC to mobile devices. In August, Visa issued payment finger rings to 45 Olympic athletes. They were able to use them to purchase items at 4,000 NFC-enabled terminals in the Olympic Village and nearby stores. All it required was a tap. By late August, the rings became available to the general public.
Which suggests that in the effort to ensure risk management, some retailers are wrapping data security around their fingers. For the moment.
If I may offer a suggestion: Make the data less valuable. Merchants often hold on to much more data than they actually need. They should consider what data they keep and who gets to see it. For example, limit the data’s exposure only to employees who require access to the actual data files (not the general purchasing insights) and then reconsider what information to should hold onto, and for how long. Think: Is there a need to maintain credit card information months after a consumer made a purchase?
Retailers and credit card processors are moving at an impressive rate to secure customer data. It will take ongoing diligence and commitment to stay the course until the next big technology comes along and changes the game again.