Retailers learn new cybersecurity considerations, get a glimpse into the future of payments.
During the Monday afternoon sessions at the 2015 Conexxus Annual Conference guests heard from experts about best practices in cybersecurity as well as the future of payments.
Brigadier General (retired) Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs in the Office of Cybersecurity and Communications, Department of Homeland Security addressed the room in a session called “Not If, But When—Cybersecurity Information Sharing,” and noted cybersecurity is not a technology issue, it’s a risk management issue.”
He noted that 70% of all cyber issues can be prevented by instituting cyber best practices beginning with a cybersecurity risk management framework. A cybersecurity risk management framework has five attributes:
- Identify what you have, both in terms of what is attached to your network and the threats against those assets. “It’s hard to defend it if you don’t know what you have,” Touhill noted. “Look at what you have through the eyes of a criminal. What would a criminal want with your information? How about through the lens of an adversary? What is your information worth to them?”
- “You want to be able to protect against those threats. And you’re not going to be able to protect against anything unless you know what you have, and you’re not going to be able to protect against everything. As you’re taking a look at your information, defend what needs to be defended,” Touhill said.
- “This is important from the standpoint of you have to be able to detect when you are under attack. You need to be able to control the damage and monitor what’s going on,” he said.
- Respond properly. “You need to plan ahead of time. Someday someone will be inside your network, putting your reputation at risk. The time to respond to a crisis is not when you are in the middle of it. The time to plan is ahead of time. You should know how to respond. Do you have someone on retainer for public relations? Your brand and reputation and maybe your job is on the line,” he urged.
- Recover/ Be Resilient. “You have to be resilient. You need to be able to take a punch and keep on going. Is all your information all in one place? Do you have backups for your information? What about your personal information? Each and every one of you will be the victim of a cyber incident in the next three years. Are you thinking about it at work and at home?” he warned.
Today, some 47% of American adults have had their personal information exposed by hackers. And today, thieves are no longer content with credit cards. “Your credit card has a lifespan. From the time it’s stolen and discovered, it’s about a three week period. The damage is also capped,” he said. While it is often reported, credit cards are not a long-term theft item. But health care records are.
“How long does your health care record last? Longer than you are alive. And if I have your health care record, I can get as much information as I want,” Touhill said.
So what’s a retailer to do? He encouraged retailers to anonymously share the threats they face with him. “We are all part of the same neighborhood in the cyber world in the U.S. and we all share risk. Like that neighborhood watch we have a cyber neighborhood and we all have to be part of the cyber neighborhood watch. I need you to share information to me, so I can share with the country,” he said.
“At the end of the day your brand and reputation can be throttled with a cyber incident,” Touhill warned. “Life is full of risk. Manage your risk. Exercise good cyber security.”
The Future of Payments
In a panel discussion on the future of payments, Jenny Bullard, chief information officer for the 170-store chain Flash Foods, gave the retailer perspective on payment, from mobile to EMV. Bullard discussed Flash Food’s app, which uses ACH payment to reduce credit card fees, appeals to Millennials and fits the convenience store chain’s brand. “For consumers, the app is easy to use, secure, faster to process than traditional cards, and their mobile device is always close at hand,” she said. “For retailers, there was no capital expenditure for hardware at pump or inside, and it was a quick and easy software upgrade, and it offers payment is secure with no card holder.”
On EMV, Bullard noted Flash Foods has EMV capable pinpads on target for installation, costing about $200,000 inside the stores, targeted for completion by October. Compare that to the amount of inside fraud the chain experiences of about $20,000, and it’s clear the return on investment does not make the process appealing.
As for EMV at the pump, Bullard estimated the approximate cost to Flash Foods at a whopping $9 million. The company plans to replace and retrofit to incorporate EMV at the pump as store remodels and rebuilds occur, consider implementation first in higher fraud areas and make all future stores EMV compliant.
Also, on the panel, Manu Sporny, founder & CEO of Digital Bazaar and chairman for the Web Payments and JSON-LD Community Groups at the World Wide Web Consortium (W3C), noted that W3C is looking into building payments into the core of the Web, as a way of unifying the payment experience online and off, via Web, mobile and POS, worldwide.
“There are 3 billion people on the Web today. There will be 6 billion people on the Web by 2020,” he said.
A payment system built into the core of the Web would take the merchant completely out of the scope of PCI.
“Conexxus has been involved from the beginning. Web payments will have a massive impact on retailers. It’s very important that retailers have their voices heard and what you need is built into this, so when it’s in every mobile phone you can use it. We’d like to see more small and medium retailers take part in the conversation. If you don’t, there is a chance we will miss something. We are talking about building payments into the core infrastructure of the Web where 6 billion people will be reached in 2020,” he said.
Gray Taylor, Conexxus executive director, closed the panel discussion, noting that cash will account for less than to 25% of retail sales by 2018, and we will see a revolution in banking. “Our branch banking system is over branched and we’re paying for it in banking fees,” he said. “You’re going to see a shift from payroll check to payroll cards, with 12 million people on payroll cards by 2019.”
Digital cash could be the future decades from now, Taylor predicted, and one added benefit for retailers might be the subsequent migration away from credit cards. Gen Y, who saw their parents’ generation suffer from credit card debt in the Great Recession, and are already carrying monumental college debt, could drive this push away from credit toward a digital currency. “I think this new generation will be very disciplined with financial management compared to my generation,” Taylor said.
At a reception Monday night, Ann Dozier, senior vice president, chief information officer, Southern Wine & Spirits of America and Ann Seki, formerly, PCI program manager, Chevron Corp., were honored as 2015 Conexxus Technology Hall of Fame inductees for their years of contribution and dedication in the convenience and fuel retailing industry.
The 2015 Conexxus Annual Conference runs April 26-30 at the Loews Annapolis Hotel in Annapolis, Md.