Following years of high profile data breaches, it’s becoming clear that retailers are just as likely to have their customer data stolen by a malicious hacker as be physically broken into.
However, while most stores have installed alarms, CCTV and employed guards to prevent physical theft, many lack adequate cybersecurity measures to protect the sensitive customer data they hold. Although stolen merchandise is costing the UK economy up to £700m a year, the total cost of cybercrime had already reached almost £30bn in 2016 and may have increased since. This highlights how crucial cybersecurity is, especially with attacks against online retailers doubling between 2016 and 2017.
While there are some obvious consequences of data breaches, such as stolen intellectual property, retailers must be aware that reputational damage is more serious. With UK brands feeling that negative press is most damaging to their business, data breaches are clearly something to be avoided. In fact, Gemalto’s Consumer Loyalty Report revealed that the majority (70%) of consumers would stop doing business with a company if it experienced a data breach. So, should a retailer suffer a data breach, it’s not only risking a severe impact on its reputation but also its bottom line. Recent data breaches at retailers have caused significant share price reductions and the resignation of senior executives.
Despite this, UK organisations have been failing to adequately protect their data and regulate themselves – forcing governments and legislators to introduce robust data regulations. In particular, the Payment Card Industry Security Standards Council has been helping retailers understand how to store and handle their customers’ payment data with its Data Security Standard, or PCI-DSS. This standard helps businesses process card payments securely and reduce card fraud. Previously regarded as ‘best practices’ albeit with penalties applied by card brands for non-compliance, the guidelines became mandatory standards in February, carrying with them legal and financial repercussions for failing to comply.
Although it may sound like PCI DSS is yet another regulation that retailers must adhere to, many will (hopefully) already have ensured they are compliant. But for those that aren’t, what do they have to do to comply?
The Six Simple Steps
PCI DSS is separated into six categories:
1. Build and Maintain a Secure Network – To do this, a retailer should install and maintain a firewall to restrict access to, and protect, data. It’s also crucial that products do not use vendor-supplied defaults for system passwords and other security parameters, as these are easily accessed.
2. Protect Cardholder Data – Only the absolute minimum of cardholder data should be stored, and certain data – such as the card chip or magnetic strip, the card verification number (CVN) or the personal identification number (PIN) – should never be stored.
When and wherever data is stored, solutions such as encryption and masking and hashing must be implemented. Without access to the proper encryption keys, encrypted data will be unreadable and unusable by hackers, even if it is stolen.
3. Maintain a Vulnerability Management Programme – Antivirus software must be used on all systems and be constantly maintained and kept running to ensure systems are protected.
While many security vulnerabilities are quickly patched by software vendors, it’s also crucial that retailers ensure these are installed as soon as possible – the longer it takes, the higher the chance that an attacker will be able to exploit the vulnerability.
4. Implement Strong Access Control Measures – To prevent unauthorised access to data, systems should deny all access to employees by default – only ‘need to know’ staff, such as accountants or HR, should be able to access personal data. To make this easier to enforce, all users should be assigned a unique ID, which lets a business see if anyone is attempting to access unauthorised data. In addition to this, multi-factor authentication must be used for internal and remote network access.
5. Regularly Monitor and Test Networks – In order to track potential data breaches, logging mechanisms must be implemented. These audit trails link individual users and log their actions, highlighting things such as accessing cardholder data or the deletion of files.
As new vulnerabilities are regularly found and exploited, it is essential that system components, processes and custom software are regularly tested to ensure they are secure – on top of having any patches quickly installed.
6. Maintain an Information Security Policy – Finally, organisations must establish and maintain a security policy, which is periodically updated according to the changing risk environment. Organisations should also implement an incident response plan so that they can respond immediately to any system breach.
These steps apply specifically to PCI DSS, but they go a long way to ensuring that a retailer is prepared for the broader GDPR when it comes into effect In May. It’s also important to note there are some requirements, such as the right to be forgotten, which are unique to GDPR and businesses can’t assume they will automatically comply with it just because they meet PCI DSS standards.
Ultimately, these steps are about protecting customer data and ensuring they have confidence in retailers to store their information. Consumers are becoming more aware of the threats that are out there and are holding businesses, including retailers, responsible for protecting their information.
In the era of the data breach, a retailer’s security approach needs to be as important as its sales strategy or it could face the consequences.
Author: Paul Hampton, senior product manager at Gemalto
Image credit: Fotolia