The pressure to boost security spending comes at a time when
merchants are already spending millions to fend off online retailer
Amazon.com and facing an October 2015 deadline set by payment
networks Visa Inc and MasterCard Inc to accept new payment cards
that store information on computer chips rather than on traditional
Target, the No. 3 U.S. retailer, said this week it hoped to finish
upgrading its payment card network to the more secure "chip and PIN"
standard by early 2015, some six months ahead of its previous plan.
The system, already widely used in Europe and Asia, can accommodate
cards carrying tiny microprocessors, which makes it harder for cyber
crooks to use stolen data.
U.S. retailers have been so focused on cutting costs and expanding
their online presence in the past decade that they have not spent
enough of their technology budgets on protecting customer data,
security experts and IT service providers said.
While retail spending on overall technology was expected to rise 4
percent annually between 2012 and 2017, U.S. stores spend only
roughly 2 percent of their tech budgets on security, with the bulk
going to improving their e-commerce, technology advisory firm IDC
Retail Insights said.
Unlike their peers in other industries, most retailers still focus
on just meeting the basic standards set by the payment card industry
rather than substantially beefing up safeguards against increasingly
sophisticated attacks, security experts said.
"Retailers have to assume that they are constantly being targeted
and actually constantly being penetrated," said Eddie Schwartz, a
vice president at Verizon Enterprise Solutions, who urged retailers
to take a more proactive approach.
Pressure from Congress, consumer groups and the banking industry
following recent theft of customer data at Target, Neiman Marcus and
others may be the turning point to get the retail industry to spend
more on security, experts said.
For example, Dinesh Bajaj, the vice president of retail and
logistics practice in Americas for Infosys Ltd, expects retailers to
spend more in coming months on encrypting credit card data while
storing it in multiple systems.
IDC Retail Insights expects spending by retailers in 2014
specifically for security in the United States to be $720.3 million,
an increase of 5.7 percent from last year in part because of the
recent breaches. Total tech spending by retailers this year is
expected to hit $36.34 billion.
"It's clear that companies need to do a lot more, that they continue
to make basic mistakes," Federal Trade Commission Chairwoman Edith
Ramirez said at a hearing on Tuesday looking into massive data
breaches at Target and Neiman that affected millions of shoppers.
LAGGING IN SECURITY SPENDING
Retailers spend 4 percent of their technology budgets on security,
compared with 5.5 percent for banks and 5.6 percent for healthcare
companies, according to technology research firm Gartner.
[to top of second column]
Security experts urged retailers to set up a non-competitive
"collaboration space" where they can virtually meet to share best
practices and real-time alerts about data breaches as their peers in
telecoms, financial services, utilities, transportation and energy
There are currently more than a dozen non-profit groups known as
Information Sharing and Analysis Centers, or ISACs, that share
real-time information about cyber threats and other emerging
"Having the tools and technology isn't enough in this day and age,"
Michael Kingston, Neiman's chief information officer, acknowledged
while testifying before Congress on Tuesday. "It's often how you
deploy this technologies and what else are you doing, which goes
back to make sure we're sharing intelligence as much as we can."
Retailers including Wal-Mart Stores Inc, Home Depot Inc, Toys R Us,
Sears Holding Corp, Walgreen Co, CVS Caremark Corp, Best Buy Co Inc,
Macy's Inc and Neiman declined to share details of their spending on
Target said it has invested "hundreds of millions of dollars" in
cybersecurity but did not give the exact amount.
"Retail has small margins and wants to keep prices low, and so they
have been slow to improve their systems," said retail industry IT
consultant Cathy Hotka. But the imperative to do so is even greater
given how much bolder and skilled hackers have become, she added.
Tom Litchford, vice president of retail technologies at the trade
group National Retail Federation said merchants have made
"significant" investments to classify and encrypt data and to train
software developers and other staff.
But data show that retailers have traditionally spent
proportionately less on security than other leading industries.
"They don't spend enough on isolating their payment card processing
environment from the rest of their store networks and the public
Internet," said Gartner analyst Avivah Litan. "This leaves their
cardholder data environment open to security holes that the
criminals punch through."
(Reporting by Dhanya Skariachan and Phil Wahba in New York;
additional reporting by Alina Selyukh and Emily Stephenson in
Washington and Jim Finkle in Boston; editing by Lisa Shumaker)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.