Credit providers stay ahead of security challenges

By Joseph Dobrian
Special to Furniture Today

HIGH POINT — The security of digital information for both businesses and consumers is high on the radar as more and more transactions occur via computers, digital devices and the Internet.

In terms of the data involved, how safe is it to let your customers apply for credit on your computer? How safe are credit application kiosks for the consumer or the lender? What specific security threats should consumers, retailers, and credit providers beware of?
See related stories:
Security best practices
Know potential weaknesses

According to experts recently contacted by Furniture Today, the bad news is that any hacker with an imagination will find ways to try to steal information, or even steal money, via the Internet. The good news, however, is that it’s getting harder for them to do it.

One lender describes the process as an “arms race,” in which one side comes up with new ways to make trouble and the other side quickly finds ways to thwart them. So far, it looks like the good guys are winning.

teresa piliouras
Teresa Piliouras

“I would advise consumers to make sure the networks used in the store to transmit credit card information are PCI-compliant,” said Teresa Piliouras, CEO of Technical Consulting & Research Inc., a Weston, Conn.-based software development and cybersecurity specialist. “MasterCard and Visa helped develop the PCI DSS framework. The Verizon PCI compliance report is a great resource. According to the report, ‘At a regional level, only 39.7% of organizations in the Americas maintained full compliance.’ This includes all companies, not just furniture companies.”

Control is key

eric jernigan, genesis
Eric Jernigan

Eric Jernigan, IT security manager for Genesis Financial Solutions, parent company of Genesis Credit, a private-label credit provider, said that Genesis’ security measures provide controls for multiple areas of data storage, data transmission and access control. Genesis only shares non-public data deemed necessary for transaction support. All information that Genesis transmits and retains is fully encrypted.

“According to the 2018 Identity Theft Resource Center’s Annual End-of-Year Data Breach Report, the total number of data breaches is down 23%, but the number of exposed consumer records has climbed 126% since last year,” he warned. “The business sector, including retailers, had the largest number of the breaches.

“The use of ransomware, which is a form of malware designed to completely encrypt a victim computer’s files until a ransom is paid in bitcoin/other crypto currency, continues to increase each year. Data loss and downtime as the result of a ransomware attack are often more damaging than the ransom itself.”

Jernigan offered the tips for consumers:

  • Know your rights; ask retailers what measures they take to keep personal data secure.
  • Regularly review your free credit report to catch unexpected activity.
  • Refrain from accessing sites that request or include personal data while on public WiFi.

Jernigan advised retailers to minimize the amount of customer data they collect. If it isn’t related to the business transaction, collecting it is the analogous to making cash available to criminals.

“Create a breach response/security incident plan today,” he urged. “It can start as a list of bullet points to answer the question, ‘What should we do if we discovered a breach right now?’ Seek help from the resources in your own company and any partners that could assist. Perfection isn’t the goal; having a starting point and executable plan when a breach occurs is.”

Protection mechanisms

ryan slobodian, snap
Ryan Slobodian

Ryan Slobodian, executive vice president of Snap Finance, noted all his company’s communications are encrypted and use https to protect portals and data.

“From the moment a retailer or a consumer accesses our portals, we encrypt that information in transit,” he said. “We use a Defense in Depth Approach, which implements a series of layered defensive mechanisms to protect our data. If one mechanism fails, another steps up immediately to thwart an attack.

“Once the information arrives to our infrastructure, we encrypt communication between components, and we encrypt all backups and places data is stored. Credit card data is not even stored on our system.”

He suggests that in-store credit applicants should ask the merchant or a sales representative for information on the credit company. Does the merchant have a good relationship with them? Do they have good customer service? What do other customers think of them?

“When providing the information,” Slobodian advised, “make sure (customers) are in control. The merchant should be able to provide customers a way of entering data on their own terms, either through a smart phone or a dedicated computer where they can confirm the data is going to the right place.”

Chris Chilton

Chris Chilton, chief information officer at Tempoe, said his company also uses multiple layers of cybersecurity to protect retail partners and consumers.

“Given the current climate of multiple interconnected IOT (internet of things) and the almost universal ability of the world to be in contact with any other individual on the planet with just a few keystrokes, the threat will be increasing for the foreseeable future,” he warned. “Anyone who can do a few simple Google searches can launch cyberattacks on par with all but the most sophisticated attacks of a few years ago.

“New risks that have appeared include IOT-based attacks and state-sponsored attacks. Small nations such as North Korea have such a small economic base that state-sponsored hacking can make up a significant portion of their GDP. These cybercrimes and other sponsored attacks are designed to disrupt American businesses and will continue to be a threat.”

Tempoe has established a “Third Party Service Provider Management” agreement, Chilton reveals, which clearly defines the company’s expectations for handling sensitive data and the steps to take if a breach occurs.

Staying on constant alert

Jami Hughes, Progressive Leasing
Jami Hughes

“We continually test and reevaluate our security measures and update as necessary,” said Jami Hughes, vice president of information security for Progressive Leasing. “We work with third-party organizations to validate and certify our security practices, including ISO/IEC 270001, PCI DSS and AICPA SOC 2 Type II certifications, among others.

“We have also adopted the NIST cybersecurity framework to help manage and optimize our security program as maintaining the security of systems and integrity of data is an on-going commitment.”

Many threats to cybersecurity involve social engineering, the spokesman says. In other words, these threats exploit human trust and vulnerability. Education is essential to combating these threats and education is a key component of our security program.

“We have detailed action plans to address any breaches should they occur,” Hughes added. “Consumers and retailers are advised to treat all personal information as confidential information. This includes not only details pertaining to financial accounts and transactions, but any and all personally identifiable data.

“In the event of a data breach, we recommend consumers and retailers alike take action to prevent further exposure. This includes taking systems offline at least temporarily, resetting passwords, and reviewing and addressing any infrastructure or process vulnerabilities before bringing breached systems back online.”

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *