WASHINGTON -- The National Retail Federation (NRF) earlier this month told a congressional panel that the retail industry is committed to safeguarding and protecting consumer data and information from highly motivated and sophisticated cybercriminals and hackers.
"Retailers make significant investments every year in order to protect [consumer] data," NRF vice president for retail technologies Tom Litchford testified. "Collectively, retailers spend billions of dollars annually to safeguard data and fight fraud, as well as hundreds of millions annually on [credit card security] compliance."
Litchford testified before a field hearing of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection & Security Technologies, where he outlined specific steps that the nation's retailers are pursuing and implementing to identify, prevent and combat cyberattacks.
He described NRF's support for immediately transitioning away from fraud-prone credit cards that us 1960s technology (magnetic-stripe and signature) to more advanced and secure cards that incorporate a personal identification number or PIN or chip and PIN cards that include a computer microchip.
PIN-based cards, along with data encryption and tokenization, would help prevent cybercriminals from monetizing consumer financial information and provide better fraud protection for retailers, banks and consumers than proprietary Europay, MasterCard and Visa (EMV) technology that does not require the use of a PIN.
"Chip and PIN technology dramatically reduces the value of any stolen 'breached' data for in-store purchases because the payment card data is essentially rendered worthless to criminals," Litchford said. "The failure of U.S. card networks and banks to adopt such a system in the United States is one reason why cyberattacks on brick-and-mortar retailers have increased."
Litchford shared that the nation's retailers are pursuing the establishment of a Retail Information Sharing & Analysis Center(Retail ISAC) that would provide retailers and merchants (NRF members and non-members) with actionable and timely threat intelligence to help identify and mitigate cyber risks.
"The retail industry is in a particularly good position to both benefit from and bring value to information sharing with outside organizations and entities," Litchford said as he described NRF's recent interaction with the U.S. Secret Service, U.S. Computer Emergency Readiness Team, iSightPartners and the Financial Services ISAC on cyberthreats.
"NRF is currently in the planning stages with respect to a final step in the development of the Retail ISAC: the establishment of the technological and operational infrastructure to support a secure portal through which members can share information," Litchford said. "NRF's goal is to allow credentialed [Retail ISAC] members to share information of varying levels of sensitivity anonymously, thus allowing the Retail ISAC to act as a repository of critical threat, vulnerability and incident information that is sourced from various members and outside organizations, and to facilitate peer-to-peer collaboration with the sharing of risk mitigation best practices and cybersecurity research papers."
Acknowledging that there is no silver bullet to combating cybercrime, NRF called on Congress to support the retail industry's efforts on data security and cybersecurity by passing the Cyber Intelligence Sharing & Protection Act (H.R. 624) or CISPA, which would further encourage businesses and retailers to share information across sectors on cyberthreats in real time.
The NRF earlier announced that it is creating a program to provide retailers access to information on cybersecurity threats identified by retailers, government and law-enforcement agencies and partners in the financial services sector. The program, developed with the Financial Services Information Sharing & Analysis Center (FS-ISAC), will launch with the establishment of an information-sharing platform for retail industry information security specialists, and plans call for the Retail ISAC to be established in June.
"We believe a heightened and well-coordinated information-sharing platform such as a retail ISAC is a vital component for helping retailers in their fight against cyberattacks," NRF president and CEO Matthew Shay said. "Establishing a new program takes time, but time is not our friend when it comes to stopping these sophisticated and unpredictable criminals. The willingness of the FS-ISAC to work with retailers provides our industry with a new and important tool as we explore all of the options available for merchants to protect their customers and their businesses."
In early February, Senators Mark Warner (D-Va.) and Mark Kirk (R-Ill.) called for the establishment of a Retail & Merchant Industry ISAC in a letter to the Federal Trade Commission (FTC).
"In partnership with key stakeholders, NRF is committed to finding broad-based, long-term solutions to ensure that consumers' sensitive information remains secure. It is a retailer's top priority," Shay said. "Implementing robust security solutions with innovative technologies and information sharing to protect consumer data and the integrity of our payment systems is a start, but we will always need to stay one step ahead of these determined criminals."
Recently, representatives from NRF held in-depth discussions with the U.S. Secret Service and other law enforcement agencies for insight and guidance on how to improve communication, identify available resources and collaborate more effectively to help retailers combat criminal cyber activity.
NRF has also retained the services of Kim Peretti, a partner in the law offices of Alston & Bird LLC. Peretti is part of the firm's White Collar Crime Group and co-chairs the Security Incident Management & Response Team. She is also a former director of PricewaterhouseCoopers' cyber forensic investigation unit and a former senior litigator for the Department of Justice's Computer Crime and Intellectual Property Section.
As announced in January, the NRF is working closely with the cybersecurity professionals from The Chertoff Group, providing NRF members with the highest level of insight and guidance in risk management and cybersecurity expertise.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.