5 Critical Steps for Retailers to Reduce Cybersecurity Risk
The story is becoming all too familiar – another retailer announces that it discovered malware on its point-of-sale systems. Clothing retailer Buckle, which operates more than 450 stores in 44 states across the country, joined the ranks of the almost 500 companies that suffered breaches in 2016 by disclosing that malware was siphoning unencrypted credit card data.
For those of us who work with credit card information daily, Buckle’s announcement served as yet another reminder that we must always remain vigilant when it comes to protecting customer data. In the wake of this and other major cybersecurity-related incidents, merchants need to actively evaluate all of their cybersecurity and credit card acceptance practices to ensure they’re in compliance with industry standards and regulations, as well as leveraging the most advanced security solutions available in the marketplace. There are steps companies can take immediately, including:
- Conduct an Individual Risk Assessment – Whether or not your company was the victim of a breach, retailers must invest in straightforward risk assessment programs that are monitored by third-party auditing and testing. While retailers increased their information security budgets by 67 percent last year, according to PricewaterhouseCooper, executive leadership must remember that security is not the place to try to save a few dollars; it has to be a priority. Corporate risk assessments should focus on identifying threat vectors – anything from internal employees with access to sensitive systems or external hackers attempting to breach systems. It is critical that companies consistently determine key personnel with elevated system privileges, evaluate and control system access, identify critical corporate assets, and segment assets that process or store sensitive information.
- Reaffirm Payment Channel Security – While eCommerce transactions were traditionally considered to be less secure because of the nature of online payments (no physical consumer present), the frequency of major breaches via card present environments demonstrates that these in-person transactions are as risky, if not more so, than online purchases. In the wake of data breaches, it’s critical to ensure solutions are up-to-date and can identify and defend against the latest cyber attack methodologies.
- Encrypt Data Before It Enters the Point-of-Sale System – As long as merchants continue to accept unencrypted credit card data and allow it to traverse their networks, the industry will continue to see headline data breaches that negatively impact both the merchant and their consumers. However, it isn’t enough to simply encrypt data while leveraging a point-of-sale workstation’s on-board credit card reader. Credit card information is still vulnerable to theft between the point of swipe and encryption when that encryption is software-based. Instead, data should be encrypted before it enters the point-of-sale system using an external payment device, through hardware encryption. That way, the point-of-sale system does not process or store – even in memory – “clear text” credit card information; it only sees encrypted data that cannot be compromised.
- Adopt EMV Technology – According to the National Retail Federation’s State of Retail Payments 2016 study, 86 percent of merchants expected to implement EMV by the end of 2016 – more than a year after the October 2015 liability shift. While EMV adoption is continuing to rise, magnetic stripe cards are still very common. This means that attackers can still steal and duplicate credit card numbers onto easy-to-find magnetic stripe reader (MSR) credit cards and use them. As we’ve seen in other regions where EMV adoption rates are high, card present fraud will continue to drop as more merchants adopt EMV technology.
- Embrace Tokenization – According to PricewaterhouseCooper’s Global State of Information Security 2017, 38 percent of respondents use end-to-end encryption to safeguard point-of-sale systems, while only 25 percent leverage tokenization. However, tokenization provides an additional layer of security that enables retailers to conduct routine payment operations, such as processing sales or refunds, without the risk of storing credit card information on their networks. Instead, customer card data is replaced with a “token,” usually a string of alphanumeric code that maps to the full credit card information in a third party system. Since the token is simply an identifier, attackers can’t derive the actual card number from it, much less use it for fraudulent transactions.
With the regular emergence of new, widely-available security threats, merchants should never assume that their networks or environments are secure. The above steps can help retailers de-sensitize information before it enters their environment to ensure that a compromise of their systems does not also result in a data breach of their customer’s payment information. With this layered security approach, merchants can continue “business as usual” with a significantly reduced level of risk.