The Fight Against Retail and Cyber Crimes: Better Cards, Better Security

Cyber crimes are skyrocketing—there are estimates that more than $3.5 billion in fraud was committed online in 2013—but security organizations protecting retailers and consumers are pushing back.

Criminals from around the globe steal credit-card numbers from retailers so they can charge items or take out cash from the stolen card numbers. Some argue that the answer is to build a better, more secure credit card.

On Aug. 13, the Payments Security Task Force, a group of America’s largest payment-card issuers, including Chase and Bank of America, forecast that they will have issued more than 575 million credit cards with EMV chips. The task force contends the EMV-chip cards offer improved security against fraud and is superior to the magnetic-strip cards, which typically rely on measures such as the holder’s signature to check against fraud.

“These numbers reflect the significant momentum behind the adoption of the EMV chip in the United States,” Ryan McInerney, president of Visa Inc., said in a prepared statement. “By the end of next year, these issuers estimate that one in two of their U.S. payment cards will be chip-enabled, which represents real progress given the scale and complexity of this overall effort.”

However, cyber security is constantly evolving, and there are other groups searching for ways to make retailers’ payment systems as secure as they can be. The Retail Industry Leaders Association, an Arlington, Va.–retail trade group, named cyber security as one of its top retail priorities in 2014. With its partners, it has been petitioning for different means to boost security, said Brian Dodge, a spokesman for RILA.

“Merchants believe that the chip is part of better security but by no means enough,” Dodge said. “The banks and card networks are limiting the migration to chip only.”

RILA has voiced support for card security that would mix chip and PIN-number measures. The organization and its partners have asked card issuers to work with them to build a new system where no data is stored or transmitted in an unsecure format. The system would offer open technology standards, which Dodge said would boost competition and result in less expenses for merchants.

Cat-and-mouse game

No matter what security technology cards take, it is turning into an increasingly complex cat-and-mouse game, said Judah Phillips, an author of data-processing policy and founder of Boston-area analytics consulting firm SmartCurrent.“Fraudsters and criminals regularly succeed at staying one step ahead of retailers and several steps ahead of authorities,” he said.

Credit-card fraud is much more lucrative for criminals—and holds much less risk for them—than traditional theft, said Joseph LaRocca, founder and president of Retail Partners, a consulting company that works with retailers and law enforcement.

“We’re finding that criminals are diversifying their business,” LaRocca said. “Fifteen years ago, a pickpocket would snatch your wallet, take the cash and dump everything else. In today’s world, the same pickpocket would take the cash, steal the credit cards and sell them. At a minimum, they are draining the full balance of open-to-buy on the card.”

In some cases, the thieves use the credit cards to buy goods for themselves. In other cases, they use the card information to steal cardholders’ identities.

Protect store devices

Computers regularly get hacked. LaRocca recommended that retailers protect their devices in the same way consumers protect their home computers. Retailers should check computers for viruses with antivirus software and protect their computers with firewalls. LaRocca also recommended changing passwords for store devices. If a password has been stolen, the integrity of the device can be protected by changing the password. Another recommendation: Put financial data on a shop’s “clean” computer, where only one executive or a trusted, select group of people will have access to the data.

LaRocca also recommended that store devices be checked frequently. Thieves have placed “skimming devices” in retailers’ cash registers and ATMs. These devices steal credit-card numbers and PIN numbers. The numbers are later sold or used by the crooks to drain bank accounts.

Organized attack

Organized retail crime (ORC) remains a serious threat, said Robert Moraca, vice president of loss prevention for the National Retail Federation trade group, based in Washington, D.C.

Crimes perpetrated by gangs of professional criminals cost America’s retailers $30 billion annually. “[ORC is] an organized effort by street gangs, which do surveillance of stores. They’ll go in with four to five people and overwhelm the place, then leave with 50 to hundreds of items,” Moraca said.

The NRF’s 2014 Organized Retail Crime survey found that eight in 10 retailers were victims of ORC crimes in 2013. The good news is that the rate of ORC has declined. In NRF’s 2011 survey, 94 percent of retailers claimed that they had been victims of retail crime. In the 2014 survey, it was 88 percent. The decline may be due to heavier enforcement. The NRF has encouraged building of partnerships with merchants and law enforcement, such as the Los Angeles Area Organized Retail Crimes Association, to combat crime. Also, 25 states have recently passed stringent laws against ORC recently. (California does not have a specific law against ORC.)

Moraca recommended some prevention measures. “Operate your facility efficiently and effectively. Make sure it is clean and cashiers are attentive. Criminals will pick a store that is in disarray,” Moraca said.