For the second time in a week, a major retailer has reported a data breach that may affect thousands of customers. This time, the target is Sally Beauty Supply, the largest seller of beauty products in the world. So far, the breadth and severity of the security breach are not known, but Chris Brickman – president and CEO – confirmed that the company was investigating the illegal intrusion and pledged to work with any customer who had been affected.
This incident highlights ongoing security problems within the merchant services industry. Over the past several years, as computer hackers have become more sophisticated, such data breaches have seemingly occurred with regularity. In response to this problem, the industry has attempted to adopt several important mobile payments standards. In fewer than six months, retailers such as Sally Beauty Supply will be required to improve their point-of-sale systems so that they can accept so-called “chip-based” credit and debit cards.
This regulation stems from the actions of EMV (“EuroPay, MasterCard, and Visa”), a global consortium that sets the standard for authentication measures used to verify credit and debit card transactions. EMV – which includes every major global card issuer – has set an October deadline for merchants to accept integrated circuit cards (or simply “chip cards”) at their places of sale. This change comes with several security benefits. Under the old “swipe and sign” model, making fraudulent charges was relatively easy; all that was necessary to make an unauthorized charge was to swipe the card and provide a forged signature. Simple sixteen digit account numbers are easy to steal and reproduce. The use of chip cards combats this practice in two ways. First, it makes it nearly impossible to reproduce fraudulent cards. Second, it assigns a unique identification number to every transaction, which makes it easier to track suspected fraudulent usage.
However, full adoption is unlikely to occur by October, both because not all consumers own chip-based cards and because some retailers lack the capacity to process these cards. For merchants, failure to comply with these standards comes with a real price. Most card issuers have announced dates for “liability shifts,” which signify that retailers – not banks, as was usually the case – will be responsible for reimbursing customers for any fraudulent transactions if the retailer lacks the technology to handle a chip-based charge.
The Sally Beauty data breach underscores the need for immediate change. In the coming years, the merchant services industry will have to continue to evolve to ensure that mobile payments are secure. While the move towards chip-based cards will not solve all problems, its full implementation would go a long way. The sooner, the better.