The home improvement chain also said the malware responsible for the breach has been removed from all stores.
E-retailers can leverage technology and tactics to avoid falling prey to cyber criminals.
Cyber criminals aren't resting. They're constantly finding new ways to defeat retailers' data security and fraud prevention systems—whether they're stealing millions of credit card accounts in one fell swoop, perpetrating fraudulent transactions or finding new vulnerabilities to exploit.
That means retailers that let their guard down risk becoming the next high-profile victim of a data breach that shakes consumers' confidence in their brand and costs money. Staying ahead of criminals requires retailers to regularly evaluate their security and fraud prevention systems to spot weaknesses criminals can exploit.
"Fraud prevention and data security is an arms race that retailers can't afford to fall behind in," says Justin Morgan, information security officer for payments processor Litle & Co., a Vantiv company. "Criminals are becoming better at using technology to enter a retailer's system and strike unnoticed."
Bridging the gap
Retailers can stay ahead in the risk management arms race by sharing consumer behavioral data across their various sales channels. Doing so provides retailers a more complete picture of fraud patterns. This capability is especially important for retailers with robust online and offline operations, according to Jeff Sawitke, chief product officer for Verifi Inc., a provider of risk management and electronic payment solutions for card-not-present merchants.
"If the merchant launches a new channel on another platform or through a third party, access to customer data from other channels may be limited or not available for use in fraud screening," he says. "Data-sharing limitations increase a merchant's fraud risk because those orders may not get the same level of review and validation as orders in other channels. That creates a weakness in the merchant's system criminals can find and exploit."
Retailers should apply the same fraud tools used in existing channels to new channels. "If a retailer is using IP address verification on its e-commerce site, it should be using it for the mobile site too," Sawitke says. "The goal is to create a consistent, singular view into customer behavior across all sales channels. Then, as it relates to fraud management, the retailer should tune its strategies to each channel."
Leveraging consumer behavioral data across channels makes it possible for retailers to move away from rules-based fraud detection models that use a series of predetermined fraud screens, such as orders originating from countries with high incidence of fraud, toward more sophisticated "neural models" that score a transaction's risk based on behavioral attributes, such as sudden spikes in spending or purchase velocity. Parsing those behaviors helps improve a retailer's ability to distinguish fraudulent transactions from legitimate transactions with each transaction it reviews.
"Using 'big data' to identify fraud requires the right analytical engine to dig deep and uncover anomalies in the behaviors that indicate potential fraud," says Greg Wooten, chief executive officer for SecureBuy, a SignatureLink company, and provider of dynamic fraud detection applications. "From a fraud perspective, the goal is to use big data to create a safe and stable shopping environment that allows retailers to attract customers and grow their businesses."
The vendor's SecureBuy Powered with FICO tool combines neural technology, which identifies relationships between complex data sets to detect fraud patterns and learns as it goes, and adaptive analytics that score transactions by comparing current transaction behavior to recent known fraudulent and non-fraudulent behavior. This combination allows retailers to automate the fraud-screening process. The vendor integrates its cloud-based screening solution, which it developed using technology from analytics and credit scoring firm FICO, into the checkout page.
When a transaction's score exceeds the merchant's risk threshold the customer is prompted to authenticate herself using SecureBuy's reengineered 3-D Secure verification, which links the customer to her credit card issuer.
"By using FICO technology we are allowing card-not-present merchants to use some of the same big-data analytic technologies that 95% of the credit- and debit-issuing banks in the United States have been using to prevent fraud for more than 20 years," Wooten says.
Fraudulent transactions are not the only threats posed by criminals to retailers. Part of what makes retailers highly attractive targets to criminals is the amount of credit card account data running through their systems. Many cyber criminals are focused on intercepting that data as it travels through the merchant's system to its processor and back. Once the data has been hijacked it can be resold to fraud rings.
But a retailer can use tokenization to diminish the value of cardholder data to criminals. Tokenization replaces consumers' payment card data with a software token that acts as a proxy during most of the payment process. For example, when the shopper enters his card account information on the merchant's site, the system encrypts that information and sends it directly to the merchant's processor, which decrypts it and sends it to the shopper's card-issuing bank for authorization via a secure connection. The processor then returns an acceptance or denial code to the merchant along with a token, which the retailer can store for future use should a chargeback dispute arise.
"Because the token is a substitute card number, even if a criminal intercepts it and breaks the algorithmic code that created it, he has no access to the key that maps the token back to the original card number," says Litle & Co.'s Morgan.
Litle & Co. can provide retailers real-time tokenization as well as retroactively tokenize credit and debit card numbers a merchant has on file. Tokenization also significantly scales back what a merchant must do to comply with Payment Card Industry guidelines for protecting stored credit card data, since a merchant that employs tokenization is not storing actual card data, Morgan says.
But even though tokenization is effective at protecting cardholder data, it still won't stop criminals from attempting to pass themselves off as legitimate customers. One way to stop fraud at checkout is to have a payment solutions provider that can cross-reference transactions over its entire merchant base to identify common data elements that may indicate fraud.