Where have all the hackers gone?

    Dan Alaimo

It's been awhile since the last major data breach, which makes one wonder, have the hackers moved on from retail or is this a calm before another storm? Probably both and neither.

There are a limited number of really accomplished cybercriminals out there, although it didn't seem that way last fall when the data breaches were coming in rapid succession. As retailers have tightened their technological defenses, these bad guys—like all the other bad guys in the world—moved on to easier and perhaps more lucrative pickings.

Has all the talk about tokenization, PCI DSS standards compliance, point-to-point encryption, EMV chip cards, Apple Pay, Bitcoin, and better awareness of malware scared them off? Not likely. While going after softer targets, they are also no doubt preparing a new round of attacks.

For instance, a recent study said that as the transition to EMV chip cards gets established, the bad guys will turn their attention from in-store POS systems to card-not-present online transactions.

Or take this metaphorical example: Let's say your house gets robbed, so you get a dog. The next time that robber bypasses your house and breaks into a neighbor's house where there is no dog, that neighbor gets a bigger and meaner dog than yours, and the cycle starts over. What to do? Get an even bigger dog? Yes. Is there an end to this cybersecurity arms race? No, at least not in the foreseeable future. It's the cost of staying in business in 2015.

Right now the robbers are over at the neighbor's house, but they'll be back.

Figuratively speaking, retailers will need to buy a lot of dog food, that is, security technology. Costco's house brand is a really good value—and Costco has never been breached so far. Walmart has the cheapest dog food—and as the biggest retailer has not been breached recently either, according to an article published in Bloomberg Business last fall.

The ingredients of that figurative dog food will have all of the above-mentioned technologies, blended together by someone who knows what they are doing and what the cybercriminals are up to. "Though tokenization and EMV have a place, there is no silver bullet. Retailers must consider and assess the security along all points in their processing," said Wolfgang Goerlich, a cybersecurity strategist at CBI.

Take this cybersecurity calm as a time to prepare in earnest for the next wave of attacks. It should not escape anyone's notice that most of the attacks, including Target's in 2013, came in the fourth quarter when retailers are at their busiest and, as a result, also when they are most vulnerable.

There are two deadlines on the horizon that should help retailers set priorities.

One is coming soon, and that is the June 30 compliance deadline for five mandatory changes accompanying Payment Card Industry Data Security Standard version 3.0. These are a response to the methods and tactics of card data thieves, and there are heavy fines for retailers who experience a data breach and haven't met the requirements.

The other is the fraud liability shift deadline for EMV chip cards in October. That is when lagging retailers or banks will assume liability for fraudulent card use depending on who is least prepared to accept the EMV chip cards. No matter the feelings about the deadline, implementing EMV is simply good business. Whether fair or not, the deadline is a way to incent the industry to make the transition sooner rather than later.

That's a start. Hopefully retailers will follow with other security measures and earn a mention on the list of those who haven't been breached. -Dan

Updated on May 29, 2015 to reflect the correct name of Wolfgang Goerlich's company affiliation. He is with CBI, not CBI Labs.