In the past, it was easy enough for retailers to just lock the doors to the store at night and arm the alarm system in order to prevent theft. Today as businesses, more specifically retailers, strive to be Omni-Channel businesses and engage with consumers 24/7/365, in whatever channel is convenient at that moment, locking the doors is simply not enough to keep their business safe. Now, stores are not just physical places, but virtual ones that can be accessed, and also breached, anywhere at any time and from multiple devices.
Taking a look at the current landscape of data security within the retail market, I’ve seen many businesses take the preventative approach to securing their data. This includes their adherence to standards, implementing up-to-date hardware and software, threat detection tools and securing business processes such as consistent security patching, monitoring, etc. On the other hand, there still continues to be many businesses that take a more reactionary approach to data protection, waiting only until their data has been compromised to work to find the possible breach. After the daily examples in the news of some of the major retailers in the United States being compromised, I’ve seen more and more businesses begin to realize that security is not a static condition; as new threats emerge or are identified, the industry and their business needs to react and evolve to the threat. Retailers need to monitor the security landscape and adjust the way they do business to maintain a secure environment and protect their customers’ sensitive personal data.
What Do Hackers Typically Want out of Retailer Data?
Depending on the objective, malicious hackers (and the ones that gain the most publicity) are usually trying to obtain credit card and/or personal info which they can then sell on the open market to people that use the data to commit fraudulent purchases and/or ID theft. A well-executed breach can obtain personal and payment information from millions of consumers resulting in huge expenses for the retailer.
A Gartner industry analyst estimated possible losses of over $400 million for Target, including reimbursing to banks the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance, legal fees and credit monitoring for millions of customers.
Is Data Loss in Retail Primarily Due to the Introduction of POS Use?
According to Verizon’s 2015 Data Breach Investigations Report, POS intrusions accounted for less than 30% of confirmed data breach incidents in 2014. A key finding in the report was most incidents were PEBCAK (Problem Exists between Chair and Keyboard) and ID-10T error, also known as idiot error. In fact, the infamous Target breach was initiated when the intruders stole login credentials from a Target HVAC vendor and worked their way thru the Target network to the POS system and installed malware. Warnings from Target’s security monitoring software that intrusions had been detected were ignored, the data was collected and offloaded to outside servers.
In order to provide a relevant customer experience and transact business, sensitive information needs to move across networks and be stored. Securing the proliferation of entry points, networks and data is an evolving challenge as criminals adapt to security initiatives. Some of retailer’s biggest challenges, including Advanced Persistent Threats (APT’s), where the hacker probes a retailer’s defenses to find a weakness, have emerged as criminals have become more sophisticated in their methods. Hardware and software today has adapted to mitigate, but not eliminate, the threat. As is usually the case, human error or business processes that lag behind sophisticated threats remain a persistent weak point which need to be addressed.
States Laws Requiring Data Breach Notifications to the Affected Parties
Today forty-seven states have data breach notification statutes on the books, resulting in a patchwork of requirements. The National Retail Federation (NRF) has been advocating for a federal law to preempt state laws, which may have conflicting reporting or notice requirements. Also Congress has introduced S.177 - Data Security and Breach Notification Act of 2015; for now it has been referred to the Committee on Commerce, Science, and Transportation for action. Every retailer that accepts payment cards are additionally required to be compliant with the PCI Data Security Standard.
What’s One thing all Retailers Should Know about PCI Compliance?
You can find out your exact compliance requirements only from your payment brand (AMEX, Visa, MasterCard, Discover, JCB International). The PCI Council manages security standards, while compliance with those standards is enforced by the payment card brands. The standards apply to all organizations that store, process or transmit cardholder data.
There are 12 requirements in the standard; remember that PCI compliance is an ongoing process, not a one-time event. Retailers need to continuously assess operations, fix vulnerabilities, and make required reports.
- PCI DSS: Payment Card Industry Data Security Standard
- PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data
- PCI DSS applies to all system components. “System components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment.
For a deeper look into data protection and compliance in the retail market, as well the other vertical markets, download our free white paper here: Data Protection and Compliance Considerations for Solution Providers.
For more details on PCI, visit their website: PCI Security Standards Council.