Use of multifactor authentication and security of sensitive, non-credit card consumer data are top industry priorities
The National Cybersecurity Center of Excellence (NCCoE) hosted a successful workshop, Protecting Consumer Data: Securing Payment and Transaction Information, on March 22 at the University of Alabama Birmingham. The day of conversation brought together more than 60 professionals from across the retail and payment ecosystem, including security technology vendors. The online webcast attracted more than 100 attendees.
The NCCoE is a collaborative hub where businesses, government agencies, and academia work together to address broad cybersecurity problems of national importance. As part of the National Institute of Standards and Technology (NIST), the NCCoE uses standards, best practices, and commercially available technologies to demonstrate how cybersecurity can be applied in the real world.
The retail industry plays a major role in the U.S and international economy, accounting for 66% of the U.S. GDP and 22% globally. The estimated cost impact of cybercrime is $445 to $575 billion a year, nearly 10% of potential retail revenues. Keynote speaker Brian Engle, executive director of the Retail Cyber Intelligence Sharing Center (R-CISC), shared these statistics and noted that "managing risk does not have a stopping point." He encouraged attendees to collaborate to find and implement best practices, not just one-off solutions.
The workshop focused on two cybersecurity challenges in the retail sector: the use of multifactor authentication for e-commerce transactions to combat online fraud, and how to securely handle sensitive, non-credit card consumer data.
Multifactor Authentication for e-Commerce Transactions
From biometrics to selfie recognition, retail companies are testing the waters for more secure e-commerce transactions. Panelists Charles Bretz, Director of Payment Risk, Financial Services Information Sharing and Analysis Center (FS-ISAC); Scott Frost, Chief Information Security Officer, Belk; Dr. Robert Martin, Vice President, Security Solutions, North America/Ingenico Group; and Andrew Whelchel, Senior Technology Consultant, Fraud and Risk Intelligence, RSA highlighted current trends, discussing different types of authentication factors. They also reviewed why some retail companies may be hesitant to adopt MFA, and how some retailers who are using MFA with other technologies, such as Web analytics, to reduce online fraud and maintain ease of purchasing.
Participants in the breakout session discussed how critical the user experience is when implementing MFA technology and that retailers could benefit from a multi-phased MFA approach with risk-based implementation. It could combine analytics about users’ past experience, threat intelligence, and transaction values to determine any additional levels of identity authentication needed before the transaction can be completed. The conversation resulted in an outline for the NCCoE to develop into a defined problem statement.
Secure Handling of Sensitive, Non-Credit Card Consumer Data
Stolen credit card information can cause consumer angst, but fortunately can be replaced—transactions are reversed and new credit cards are issued. Stolen sensitive, non-credit card consumer data, like a social security number, date of birth, phone number, or address, is not always replaceable. This information increases the value of records for attackers to sell, but is not always as well secured as credit card data. Panelists Gerald Beuchelt, Chief Security Officer, Demandware; Jake Marcinko, Standards Manager, PCI Security Standards Council; George Rice, Senior Director of Payments, HPE Security – Data Security; and Justin Simpson, Senior Manager, IT Risk & Security Governance Team, Walmart discussed different types of sensitive data and the lack of current technology and regulations around personally identifiable information (PII). Panelists agreed that retailers are focused on securing credit card data, but have yet to increase the security of sensitive, non-credit card consumer data. This discrepancy is reflected in reoccurring headlines on credit card data theft and the lack of media attention on non-credit card consumer data breaches.
The breakout session that followed revealed that securing PII is complex—the information must be protected, yet still accessible to multiple departments like customer service and marketing. Participants discussed how current security technology for credit card data could be utilized for PII. Participants recommended removing personal data from the retailer’s enterprise through tokenization, format preserving encryption, or anonymization. For example, the retailer could encrypt the customer shipping address and send it to the shipping provider for tokenization. The shipping provider would then provide a token to the retailer and take responsibility for protecting that data subset.
Join the NCCoE in Combatting Online Fraud and Securing Consumer Data
This workshop represents the first step in NCCoE’s process to demonstrate how cybersecurity can be applied in the real world. The breakout sessions facilitated the development of challenge statements and potential architectures for these projects. Next, NCCoE engineers will use this information to publish a white paper containing a detailed project description. Ultimately, the NCCoE will develop a reference design and publish that information in a NIST Cybersecurity Practice Guide, which provides detailed information on how to implement the solution.
For updates on the NCCoE’s Retail Sector projects, sign up for our newsletter.
For Retail Sector stakeholders, join us at the R-CISC Cyber Summit next month to learn more about what we're doing and how you can share your expertise.
Special Thank You
Dean Palazzo and UAB's Computer and Information Sciences department provided excellent coordination, resources, outreach, and expertise. HPE's sponsorship provided insight and assistance, allowing us to focus on the workshop's content and conversations.