The consumer and their data is at the core of every transaction, and their privacy and trust needs to be a top priority. The consumer experience needs to be secure, given all devices and personnel that interact with store infrastructure.
For years, retailers have viewed PCI compliance and security as one. As explained by Jack Lawson, Intel Security Group sales director, while PCI compliance remains a very necessary part of every retailer’s security baseline, it is no longer sufficient by itself. “This is due to the increasing sophistication of attacks, the many new threat surfaces needing protection and the comprehensive customer data which is at risk,” he says.
The figures are there to back this up. According to Verizon’s 2013 Data Breach Investigations report, 24% of all data breaches reported worldwide occur in the retail-hospitality sector. Meanwhile, the recent high-profile breaches at leading retailers occurred on data that was PCI compliant. Domino's Pizza also recently suffered an attack where hackers demanded a ransom of Ä30,000 after stealing personal data from more than 600,000 of its French and Belgian customers. The company already used a system for PCI compliant data encryption, but the breach still happened.
The threat landscape is now more complex, thanks to the rise of the connected consumer and cross-channel shopping. “Millenials are a very different breed of shoppers – they expect to be able to shop and pay from any device, and they are much more open to sharing their data,” says Jon Stine, global director of retail sales at Intel. “For retailers, this means they need to offer all types of new devices and device connections – to the consumers’ own smartphones and to in-store devices such as mobile POS and interactive signage. There are so many more points where a breach can happen. PCI alone is not enough.”
That’s not the only problem Stine has identified. “Research shows that compared to other industries – and even government agencies – there’s a significant lack of trust in the retail industry’s ability to protect personal data. If not addressed, shoppers just won’t share data, and the industry won’t deliver against the vision of personalised shopping. A 2013 study titled The Digital Shopping Behaviour showed that whereas 37% of US shoppers trust government agencies to protect privacy and use data appropriately, only 31% trust national retail brands.
It’s not an easy situation for retailers to tackle, as it’s much easier to carry out these attacks than it is to defend against them. Lawson explains: “One hacker can attack 100s of retailers and gain a massive ROI from their upfront investment, whereas the single retailer has to match his security investment with ROI demands from one single business.”
This is further backed up by the fact that security alerts are coming in thick and fast. Michael Seawright, director of Security Business Development, cites one company that suffers millions of attacks a day and, while its defences can keep out most of them, on average 18 still get through. “There are so many security alerts coming in on a regular basis that it’s hard to sift through them and determine what is meaningful and how to respond,” he says. “Having a good analytical tool in the form of a security information and event management tool (SIEM) is key. Proper training and diligent use of such tools can help companies reduce the time from detection to remediation.” But even adding SIEM is not the complete answer to retailers’ data security problems.
Companies need to take a holistic approach to security, which involves a complete change in company culture encompassing people, processes and technology. “A question I often hear from retailers about security issues is, ‘how do you make it go away?’” says Stine. “Today’s issue is that it won’t go away. Because of this, we need to move from a mind-set that focuses on installing point products to an approach that defends the brand through protection, detection and rapid resolution.”
Governments have also been working to establish standards that will help companies by defining security frameworks. In February, the White House released Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which is an effort in the US to develop a voluntary guide for organisations to enhance their cybersecurity. Every corporation should familiarise themselves with the Cybersecurity framework.
While there are multiple models across industries, Lawson advises that each company needs to recognise its own unique requirements. “This can only be accomplished with a thorough evaluation that leads to a cultural shift,” he says. “Only then do they stand a chance of keeping pace with the bad guys and making their business a very hard target to attack.”
So where does the industry start? Seawright believes that industry collaboration needs to be at the heart of this. “As I’ve worked with security vendors over the years, I’ve learned they have great individual products, but as we add more products into the environment, it is creating complexity that limits effectiveness,” he explains. “We need the industry to exchange information to improve our ability to detect and remediate threats faster.”
In order for retailers to secure their environments, it’s clear that a more holistic approach needs to be taken. It is a time to look beyond PCI as the benchmark. To stay ahead of the ever-increasing attacks, strong defences, detection and remediation tools need to work together to create a secure environment. Retailers need to ask their security solution providers if their tools interoperate. Retailers need to use guidelines like the US Cybersecurity Framework to assess their own security standing. By addressing security holistically, retailers stand a better chance of building a brand associated with a secure shopping experience.
Share this story