Helping retailers wipe ID data issue

Defending point-of-sale tools could reduce breaches, data theft expert says

When data breach investigator Bryan Sartin gets a call to check into an incident involving customer records loss at a retailer, he knows that the situation most likely involves information that has been lifted from a company's point-of-sale systems.

Just as the now famous attack on discount clothing chain TJX Stores revolved around the interception of data transmitted wirelessly from the company's registers to its databases, almost every call that Sartin receives from a retailer can be traced back to some issue related to point-of-sale information collection, he said.

The data theft gumshoe -- whose official title is managing principal in the Investigative Response unit at managed security services provider Cybertrust, which was purchased by Verizon Business in May 2007 -- contends that if companies did a better job of defending their point-of-sale tools, most could dramatically lower their risk of a breach.

"As a rule, companies are doing a better job of protecting against external IT systems intrusions, but if you look into most of these consumer breaches at retailers the point-of-sale technology is typically the common denominator," Sartin said. "Many retailers list the types of systems they use on their Web sites, so the smart criminals look for companies using systems they already know how to beat and simply try to find a way in."

If retailers could merely stop collecting as much data at their registers, it would seem, the companies would significantly improve their ability to protect against such attacks, but the issue isn't that simple.

In order to protect themselves against fraud on the part of customers -- primarily in the form of inappropriate returns -- the companies are forced to store some form of identification data, typically a credit card number -- to prevent the need to write off even more losses to crime.

Among the databases of information scooped from TJX were some that carried such returns information.

As a result, retail companies find themselves in a tricky situation where they are being forced to consider alternatives that allow them to reduce the level of customer data collected at the point-of-sale, while retaining enough information to protect against fraud.

Flashback to the early 1990s, and video game console maker Nintendo was dealing with a challenging business problem. The Kyoto, Japan-based electronics company was selling millions of its NES video game consoles, but it was also being routinely fleeced by customers via fraudulent returns.

Typically such transactions would involve people who would buy new gaming systems, place older, broken consoles in the new box, and then simply return the devices for a full refund.

The company was losing large amounts of money and dealing with retailers who were shipping back scads of the worn-out machines, and attempts to implement manual guidelines, such as collecting more detailed data about customers, failed to deliver results.

Faced with mounting costs, the company decided to employ a technological strategy for warding off fraudulent activity. By capturing the information on each box carrying each one of its consoles and creating an electronic receipt based on its UPC code and serial number at the point-of-sale, the firm discovered, it could build a database of pertinent information that would allow it to track sales without retaining customer data.

By recording the information on the box, along with details about the retailer who sold it -- such as their geographic location and store number -- along with the date and time of an item's sale, Nintendo found that it could prevent many attempted returns that involved fraudulent behavior. The system was piloted at Wal-Mart in 1995, and rapidly expanded into other retailers worldwide.

The company soon realized it had a hit on its hands when its largest rival at the time, Sega, came calling after hearing how well the system worked from its own retail partners. As a result, Nintendo decided to spin off the technology into its own company, Siras, in 1999.

With massive manufacturers including General Electric, Hewlett-Packard, Philips and Sony, and retailers such as Best Buy, CompUSA, Sears and Target using the Siras Electronic Registration system today, the company maintains it provides an easy solution to the point-of-sale data collection nightmare presently facing retailers.

By eliminating the need to collect customer data, including credit card numbers, said company officials, Siras feels it can also allow retailers and manufacturers to protect themselves from information exposure incidents and all the related fallout such events may bring.

"Once consumer data is collected it's really just a matter of time before it gets exposed or stolen, and you don't need to be a sophisticated hacker to commit such a crime, a lot of times it's a retail employee who finds a way to capture the data and sell it," said Peter Junger, president of Siras, based in Redmond, Wash. "Meanwhile, many point-of-sale systems can be easily hacked, and radio frequency ID tools that aim to help solve these problems are still many years away."

By purposefully avoiding the collection of personal data using a system such as Siras', companies can already begin lowering their risk while streamlining the retail shopping and returns process for themselves and their customers, he said.

After collecting the UPC and sales information, the data is transmitted to a national database presided over by Siras, allowing the software maker to handle much of the legwork and eliminate related point-of-sale management costs for retailers, according to Junger.

Siras is also in the process of developing other iterations of Electronic Registration for use by law enforcement officials tracking the movement of stolen goods, and for pawn shops and online auction sites that are trying to reduce sales of misappropriated or counterfeit goods.

"It's a very simple technological approach to a complex problem," Junger said. "And we're hoping that someday its use will stretch far beyond electronics and other high-end items into almost any type of products that carries a serial number."

One company already using Siras' tools is the consumer products division of Philips Electronics North America, the New York based manufacturer of everything from desktop computers to flat-screen TVs.

Prior to implementing Siras in 2001, Philips dealt with the same sorts of issues that drove Nintendo to create the technology, but since that time, consumer fraud has been cut significantly, said Tony Sciarrotta, director of returns management for Phillips Consumer Electronics.

"It's had a huge bottom-line impact, helping us save not just on the cost of fraudulently returned products, but also the need to reimburse retailers who get victimized," Sciarrotta said. "The consumer information is not attached to registration, which is a huge win for consumers who have concerns about privacy, and for retailers afraid of a breach incident, and the technology can be applied to almost anything you want to sell."

Sciarrotta said that he would like to see larger numbers of retailers adopt Siras, and that he believes such tools should be required across the industry to lower the risk of consumer data loss.

"There are certainly times when we would like to have a lot more consumer information, but that's not in the best interest of everyone involved, so we need to get it in other ways such as encouraging product registration after the sale," he said. "From our side we don't want to be the police or the gatekeeper, we want to allow our retailers to go about their business as easily as possible with the least amount of risk for loss; over all my years in this industry, this is one of the best ideas I've ever seen along those lines."