CINCINNATI - You don’t have to outrun the bear, the old punch line proclaims, you just have to outrun the other guy the bear is chasing.
That is the general idea behind the Kroger Co.’s strategy to ward off hackers.
“Your goal in that world is just to become more difficult than the guy next door to you to breach,” said Kroger Chief Financial Officer Mike Schlotman. “You will never hear us say we’ve got defenses that can’t be breached because that just becomes a challenge for the bad guy. Our goal is to make it more difficult to breach us than anybody else.”
Kroger – and the rest of retail America – have placed a renewed focus on their security systems after Target Corp. revealed hackers stole 40 million debit and credit card numbers by installing malware into the retailer’s point of sale system. Target revealed Jan. 30 that attackers gained access to their system by stealing electronic credentials from a company vendor.
Online security blogger Brian Krebs reported recently that a component of the malware used against Target employed language commonly used by BMC Software of Houston, Tex., an IT management company whose clients include Kroger, Safeway, Home Depot and Sam’s Company.
Schlotman said Kroger executives were briefed on the recent breaches Jan. 28 by security experts for the company. It was part of a quarterly management meeting on information services. Schlotman declined to say whether the Target attackers also tried to invade Kroger networks.
“We don’t want to poke that bear, don’t want to make statements that we’re safe and secure,” he said. “Just the number of places and things that have been breached I think it would be foolish to make that proclamation.”
But Schlotman did say that Kroger has invested in new card readers that can process transactions with EMV or “chip and pin” technology. Many see it as an answer to the latest breaches, as WCPO reported Jan. 15, because the cards allow consumer information to be stored as encrypted data, requiring a pin code to unlock.
The plastic cards have computer chips instead of magnetic strips. They are widely used in Europe but U.S. banks and retailers have been slower to adopt. Kroger says it installed “chip and pin enabled” card readers in most of its stores, starting two years ago. If banks and payment processors rolled out the technology today, Schlotman said the company could be using it in two months.
That puts Kroger ahead of many small retailers, based on the experience of Omega Processing Solutions in Fort Thomas, Ky. The payment processing company handles more than $1 billion in transactions for 7,000 clients, including Watson’s, KOI Auto Parts and B&B Riverboats.
Omega Processing President Todd McHugh said fewer than 25 percent of his clients, mostly small businesses, have payment systems enabled for the new chip and pin cards, even though Omega offers new readers for free with a three-year contract.
“Kroger’s right,” McHugh said. “You’re never going to stop every hacker, but can you build your fence a little higher? We’re trying to push that technology down to the mom and pop retailers. In some ways they’re less likely to get victimized because there is not as much data. If I get into a mom and pop, what am I going to get? Fifty cards? Eighty cards?”
Kroger, which generates more than $11 million in revenue an hour, makes a more attractive target for hackers. That’s why Schlotman wants to make his company less attractive than similarly-sized rivals.
“These are businesses,” he said. “They have payroll to make. They look at their reward per effort hour. So, if they can breach somebody in an hour and they look at us and it takes three hours, they’d rather have three people in an hour than us."