Below is a reprint of retail analyst Paula Rosenblum’s piece in Forbes on April 2nd. The question on everyone’s mind right now – was Saks and Lord & Taylor just using EMV and not encryption? And could there be genuine confusion among retailers about what EMV does and does not do? 5 years after the Target breach, it’s hard to believe that might still be the case.
Consumer credit card information was stolen from a number of Saks Fifth Avenue and Lord and Taylor stores over the past year. The group taking credit for the theft is a JokerStash hacking syndicate. They announced the theft on March 28; it was reported by Cyberthreat specialists Gemini Advisory, and confirmed by Saks and Lord and Taylor’s parent company, Canadian-based Hudson’s Bay Corporation, on April 2. As always, consumers are not responsible for any losses associated with the stolen cards.
These are the things we know. Almost everything else about the breach raises more questions than it does answers.
We know that approximately 125,000 card numbers have been released on the dark web by the hacker group. However, the group claims to have stolen five million cards over the past year. The released cards come predominantly from New York and New Jersey locations, but the hackers claim they will be making the rest available for sale soon. Gemini believes the entire Saks/Lord and Taylor network was compromised, but we don’t know this for sure.
This syndicate seems fond of using round numbers in the millions, as it reported it had stolen seven million credit cards from Jason’s Deli late last year. Jason’s Deli is a much smaller retailer, with restaurant locations garnering approximately $500 million in revenue in 2011. It seems unlikely that the number of stolen cards was as high as JokerStash reported. But again, we don’t know this for sure.
Be that as it may, data was clearly stolen from Saks and Lord and Taylor. Given that all the Saks and Lord and Taylor locations were using the EMV (Europay, MasterCard, Visa) standard, also known in the U.S. as “Chip and Signature,” one might think that the credit card data was secure. Theoretically, it should have been, except there’s a really important piece missing from the EMV standard as implemented: the requirement to encrypt data from the point of sale to the credit card processor switch. That means, if a retailer’s network has been infiltrated by bad guys, without encryption, credit card numbers can still be read and stolen.
As background, the EMV standard was mandated by credit card processors and banks and implemented in the United States in 2015. A year into its implementation, I wrote a piece highlighting just how little had been solved. Frankly, retailers spent a fortune in hardware and software to meet it. However, for reasons unclear, those creating the mandate didn’t see the need for any further encryption.
Most large retailers have taken the initiative to implement an encryption standard known as Point-to-Point (or P2P) encryption anyway. As Wikipedia describes it, P2P encryption is a standard that “instantaneously converts confidential payment card data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud.”
Apparently (although again, we are not sure), Saks and Lord and Taylor were not among those that implemented that. As Greg Buzek, president of IHL Services, pointed out: “EMV never required encryption. We have always recommended P2P encryption and tokenization, regardless of whether a retailer chose to be EMV compliant. That was the only thing that brought security. Having EMV without encryption and tokenization was simply fool’s security. And if Saks indeed was EMV compliant and did not have P2P encryption and tokenization, this is indeed a perfect example of that.”
You may wonder, after driving the retail industry to spend millions on designing EMV, why didn’t the banks also insist on P2P encryption as part of the standard? There are no kind answers to that question. The standard itself has issues, and we have finally seen one of the worst aspects of it.
To summarize, we know data was stolen. We know that the Saks/Lord and Taylor network was infiltrated and that credit card data was exfiltrated (removed) over the course of a year. We know the group taking ownership of the breach. We know that consumers are ultimately not responsible even though they should monitor their credit card statements for odd charges.
We also know that the EMV standard as it sits is incomplete, even though retailers spent a fortune to implement it.
So what’s a consumer to do? At the end of the day, credit card theft is mostly just an annoyance to consumers. But who needs more annoyances?
Honestly, I recommend using mobile payment options like ApplePay. ApplePay is like PayPal for stores. Credit card information is never shared with the retailer. Consumer data is safe. It works. That’s what Buzek means by “tokenization” in his quote above. The only thing passed from the retailer to the credit card processor is a token. Tokens are changed frequently and transparently.
I hope we learn more about what happened at Saks and Lord and Taylor. In the meantime, we’ll look for answers to more questions, and we’ll see processors and retailers fighting over who did what to whom.
Hudson’s Bay Corp certainly didn’t need the grief in the midst of difficult results. And banks didn’t really need the cost of replacing up to five million credit cards, either. So the last thing we know is it’s a mess: an avoidable mess.