He has more than 30 years of experience in systems engineering, sales, product management and marketing of technology business systems for the retail and hospitality industries. Today, Tom Litchford takes a moment to provide a big-picture view of the fight retailers put up to keep their customer’s safe and satisfied.

How are retailers working together to proactively fight cybercrime?

Tom Litchford: Cybercrime is not just a retail industry problem. It is a business risk facing all industries. The government is fighting it, too. This is a cyber war that we’re fighting.

In retail, we’re mostly dealing with cyber criminals, as opposed to nation states. These criminals are looking for data they can easily turn into a profit and, unfortunately, they’ve found a gold mine with credit card data.

Under the direction of the NRF CIO Council, we developed an IT Security Council with the number one objective being: to foster a community focused on information sharing. NRF runs a threat alert system that pushes out around a dozen alerts per day from the Department of Homeland Security and other sources. We also have a strong relationship with the U.S. Secret Service, as well as the FBI. If we can create better situational awareness of what is going on relative to cybersecurity, not just within our own organizations but within the industry and beyond, we feel we can help our members better defend themselves.

''“Criminals are looking for data they can easily turn into a profit and, unfortunately, they’ve found a gold mine with credit card data.”

What are retailers doing to protect credit card data?

There is a misconception that the EMV chip-and-signature cards mandated by the financial industry are the panacea. We disagree. The chip makes it harder to create counterfeit cards from stolen data, but it does not directly protect the actual card data. And without a secure PIN, like the rest of the world uses, the cards provide only half the security they are capable of.

Any illegible scrawl of a signature will let a criminal sign for a fraudulent transaction when they’re using a lost or stolen card or when they manage to defeat the chip. Knowing this, retailers are busy implementing point-to-point encryption and tokenization: security solutions that are much better at keeping card data from being stolen in the first place.

How are retailers balancing the need to protect privacy while engaging in better information sharing to fight cybercrimes?

Cybersecurity information sharing is one of the most important things we can do to better defend against cyberattacks. NRF is working to help establish that trust and facilitate rich information sharing. First, because it’s hard to trust someone that you don’t know, NRF is bringing groups of retailers together regularly, so they can start building a camaraderie and put aside the idea that we’re competitors. There is nothing competitive about cyber defense.

'“Cybersecurity information sharing is one of the most important things we can do to better defend against cyberattacks.”'

Additionally, we are working with the general counsels of retailers to convince them that there is a huge benefit to allowing this sharing to go on. The counsels are very concerned around privacy and liability, which is one of the reasons NRF strongly backed the Cybersecurity Information Sharing Act that became law in 2015. This new law strengthened liability protection and privacy guards when organizations are sharing cyber information.

Is it hard to be optimistic about winning the cybercrime war?

We certainly celebrate our successes when cyber criminals get busted, but I hate the pessimist view that we have to get it right all the time, while the bad guys only have to get it right once. I like the metaphor of the “cyber kill chain.”

The kill chain was developed by the military during the Gulf War in response to bombs being deployed on roads to take out convoys. The theory is that if we look at the process the enemy has to go through to succeed, there’s a chain of events that are linked together. We only have to break the link in one place to stop an attack. As long as we’re getting and sharing the information needed to figure out where to break a link in the cyberattack plan, then they’re not going to be successful.

I like to take the optimistic view. They’re sophisticated and smart, but we are, too.