Publicly disclosed breaches in the retail and hospitality industries have fallen to less than five occurrences per month, down from double-digit figures over the last two years, a new report released today reveals.
This drop is attributed in part to merchants, hotels, and restaurant chains retooling their point-of-sale (POS) systems to accept EMV or chip payment cards, says Stephen Boyer, CTO and co-founder of BitSight Technologies, which authored the report.
"EMV adoption has really accelerated since the Target breach and that could partly be the reason why the total number of breaches is trending down," Boyer says. "You hear a lot about breaches all the time, so I was not expecting the total trend to be going down."
During the January 2015 to January 2017 period analyzed in BitSight's report, the total combined number of publicly disclosed breaches in the retail and hospitality industries reached 320. But over the span of two years, it fell from 186 breaches in 2015, to 131 in 2016, with just three reported breaches in January.
POS systems were the largest vector of attacks for the hospitality industry, accounting for nearly 40% of the 181 breaches hotels and restaurants faced over the two-year period, according to BitSight's data. The frequency of POS attacks fell sharply from eight a month in 2015, to as few as two toward the end of 2016.
Web apps, meanwhile, were the largest targets of attack in the retail industry, accounting for nearly 30% of the 139 breaches encountered during that period. During the first half of 2016, the retail industry had a slight spike in publicly disclosed Web app attacks, but no POS attacks, according to BitSight data. And in the first quarter of 2016, the hospitality industry got hit with six publicly disclosed Web attacks at a time when its POS attacks dipped.
"I have no doubt that EMV cards are forcing some cybercriminals to Web apps. I think that is the only explanation that makes a lot of sense," says Avivah Litan, a Gartner analyst.
Chip cards are less lucrative and more work for cybercriminals to deal with, Litan says. EMV cards do not carry users' data on a magnetic strip that can be skimmed and sold on the Dark Web, and specialized equipment is needed to pull information off the chip payment card, she notes.
Given those challenges, hitting a Web app and intercepting an e-commerce transaction may be easier for cyberthieves, according to BitSight's Boyer.
He adds that although companies are getting better at protecting their customers' data and transactions, cybercriminals remain highly motivated, and data breaches against the retail and hospitality industries aren't likely to subside.