Despite numerous high-profile breaches, it’s not uncommon to visit a retailer and discover they are still running a point of sale (PoS) system based on Windows XP. But a new survey released this week by the American Bankers Association (ABA) suggests pressure is building to improve security in retail IT environments.
The ABA survey of 1,006 consumers in the U.S. finds that 94 percent say it is important for retailers to upgrade their security controls, and 70 percent say retailers should be installing Europay MasterCard Visa (EMV) chip-enabled card readers as soon as possible. In fact, 64 percent of those surveyed say they are most concerned about hackers breaking into retailers’ computer systems, compared to just 16 percent who cite physical card theft as their top concern and 13 percent who cite “phishing” scams.
In addition, consumers are looking for more government oversight. A full 78 percent of the people surveyed said the government should hold retailers, banks, and other companies involved in the payments system to the same security standards as they do all other financial institutions.
The struggle over retail security compliance
Naturally, that clarion call for increased security in the retail sector should, at least theoretically, create opportunities for IT services providers to address some critical concerns. The single biggest issue, of course, has been the contention surrounding the Payment Card Industry Data Security Standard (PCI DSS) requirement. Despite the rigorous policies defined by card issuers such as MasterCard and Visa, time and again security breaches have occurred at times when a retailer is out of compliance. The reason for this is primarily because continuous updates to the IT environment make it almost impossible to be completely PCI DSS compliant on a continuous basis.
Now those same card issuers are upping the security ante by pushing through an EMV pin and chip requirement on their credit cards that is intended to force retailers to upgrade their PoS systems lest they be held liable for any future credit card fraud.
Local retailers struggle to upgrade
The challenge is that the average retailer is not the size of Target. Most of them are small businesses that rely on their local IT service provider for IT support. As those IT providers well know, many of those retailers are already barely profitable, especially those that find themselves competing with online entities such as Amazon. The result is that many of those retailers are between a rock and hard place in terms of being able to modernize their PoS systems, much less actually secure them. Given those circumstances, it’s even debatable how many of those retailers will still be able to operate this time next year. Those that do remain, however, will likely be units of much larger retail chains, which tend to rely on larger IT services firms to implement their PoS systems.
Retailers will more than likely resent the security tax being imposed on them by credit card issuers, and that might actually push them toward embracing alternative payment systems such as Apple Pay. If that occurs, then many of those same retailers will be looking for help deploying more advanced PoS systems. In either scenario, however, the end result should be fewer retailers than there are today spending an increasingly larger percentage of their overall IT budget on security.