Co-op Group guards the front line in war on cyber fraud

With cash payment becoming a thing of the past, cyber security is a growing concern for retailers.

Consumer trends suggest mobile phone payment will outstrip cash and card by 2025 – in the past 12 months alone, contactless payments at the Co-op Group have tripled, recently hitting nearly 11 million transactions a month.

But consumers are worried about security and expect retailers to protect them from cyber fraud.

The 2016 KPMG Consumer Loss Barometer, surveying 448 shoppers, found 19% would abandon retailers falling prey to a security hack, even if the company took the necessary steps to resolve the issue; 33% said fears of further exposure would stop them shopping at a breached retailer for at least three months.

Asked which factors would stop them returning to the store, consumers cited a lack of a solid plan to prevent further attacks.

Such concerns mean the Co-op Group has put cyber security at the top of its agenda. It recently announced that ACI Worldwide, a global provider of electronic payment technology, would run card payment processing operations across its UK food stores and fuel sites.

Read more: Co-op Group appoints ACI Worldwide to safeguard payment security

The Group will use ACI’s Merchant Payments system to secure data with the latest version of its point-to-point encryption – P2PE, which converts card data into indecipherable codes. The system is expected to go live across all Group stores in early 2017.

Cheryl Marshall, retail chief information officer at the Group, said: “The security of our customers’ data is of paramount importance to us. We believe ACI Worldwide’s UP Merchant Payments solution offers us the payment processing power we require, and the flexibility to meet our needs in the future.”

Jon Turner, information security director for the Group, points out that across the retail industry, card fraud losses have fallen £81.9m between 2006 and 2016 – while the amount spent on cards almost doubled.

“It’s true there is a large number of attacks against organisations like ours as more money is traded online,” he said. “Criminals follow the money. My job is making sure the Group has appropriate security to deal with that.

“All data is now transferred with a very high level of security. Customer details are protected and the amount of fraud is down significantly.”

He added: “We have invested significant capital in new IT programmes and we are increasing our resources.

“I work right across the board with business units and heads of retail, Funeralcare and legal services. I have also had meetings with chief executive Richard Pennycook and the Group board, discussing the threats we have.”

Mr Turner says there is a rolling programme of new controls.

“There are appropriate protective controls on all our PCs and connections to the internet. Anti-malware programmes monitor all our network connections and we have a team who monitor all security events and alerts.

“In recent years we have invested a lot more in security. Since we separated from the Co-op Bank we have created our own stand-alone team looking at the increasing use of the internet and the threats we face.”

The growth of contactless payment brings new dangers but consumer confidence is expected to grow as more mobile phone payment options become available.

The average spend for contactless payments is £8.66 compared with an average of £18.16 using chip and PIN, even though the limit on contactless payments is now £30.

Mr Turner said: “Digital payment through mobile phones and contactless cards will become far more prevalent as it makes life a lot easier and flexible – although a significant number of low-value transactions will still be in cash.

“We buy our contactless systems from a third party and there is protection by the banks. When it comes to contactless payment you have to have a reader with data which is protected in transmission.

“There are some risks which is why it has a relatively low limit but any payment made is protected by bank security. If a card is lost or stolen the bank will stop the card.”

He added: “Our digital team is working on a number of products and we are really happy with the way our security teams work.

“We ensure all our systems are tested and developed following a rigorous process. We look for fraud in our systems and work with other retailers to protect them.”

Related: Do co-ops hold the key to cyber security?

The Group is rolling out a series of digital offerings across the board, from paperless billing to organising and paying for funerals online.

“We will service all our digital development and build cyber security into it from the start,” said Mr Turner. “Cyber fraud has a serious impact on business and the reputation of an organisation. Our customers’ data is like the Crown Jewels to us, we have to protect it.”

Things have changed since 2011, when Co-operative Life Planning, a division of the Group which organised funeral planning and wills, admitted that data on 83,000 of its customers was accidentally posted online.

A full investigation was carried out by the Information Commissioner’s Office and since then there has been no significant breach of cyber security.

Simon Bourne, the Group’s chief information officer, oversees all IT developments and strategies.

“Making sure we keep all the data in a safe and secure manner is part of my job. It is now part of the culture within the Group,” he said. “It starts with simple things that make a big difference like reporting a suspicious e-mail.

“Technology is one of my top three strategy priorities and it is an area where we are all working together to strengthen our defences.”