More Than PCI: What Retailers Need to Know to Protect Their Data

Most retailers keep on hand troves of customer financials that, in the age of data-as-an-asset, are the modern equivalent of Fort Knox. The problem is that many retailers still fail to implement Fort Knox-worthy security measures, and they pay dearly for their shortcomings.

The State of Cybersecurity in E-Commerce

The persistence of data thieves remains a significant threat to retailers.

Keeper Security’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report interviewed 2,000 IT and IT security professionals, 239 of whom were from the retail sector. The report found that 72 percent of retailers have experienced a digital attack during the lifespan of their company, while 61 percent had experienced such an attack in the past year alone.

For example, Macy’s announced that it had fallen victim to Magecart’s digital card-skimming code, which recorded customers’ payment information through the retailer's online payment portal. The code is thought to have been in place for over a week before Macy’s realized that its customers’ information was being stolen.

So what can other retailers do to avoid the fate of Macy’s and other retailer victims?

Implement Payment Card Industry (PCI) Compliance, and Communicate it to Consumers

It's the onus of retailers to protect customer information, and Payment Card Industry (PCI) compliance is the elemental starting block.

Compliance with PCI Data Security Standards (PCI DSS) is standard practice for responsible retailers. Retailers that haven't complied with PCI DSS in the past have been burned in a major way. Home Depot fell short of PCI DSS standards by using outdated antivirus software, culminating in the theft of 56 million customers’ credit card info.

Even if a retailer is PCI compliant, they often err by not communicating the steps they're taking to secure consumers’ data to consumers themselves. Alerting consumers to your data security measures can attract security-conscious customers, especially those who have had their data stolen in the past.

Encryption is a Must

Hackers have proven able to break into private data networks, including those held by retailers. However, it's less clear that they can decode encrypted data with any consistency. Thus, encryption should be a fundamental asset in retailers’ security tool belts.

Retailers should pay the cost to have an encryption-specific security professional install a secure socket-layer (SSL) that serves as a barrier to outside penetration of all client-customer transactions. SSL security is a relatively inexpensive way to encrypt customer data, and it will likely become a prerequisite for all digital retailers as the collective knowledge of digital security improves.

For Better Security, In-Person Retailers Should Turn to EMV Card Readers

In-person shoppers have the same right to safe transactions that online shoppers do. Breaching a retailer’s physical data stores can be just as costly as a digital data robbery.

Those that rely on physical card-reading devices may be leaving their customers’ data vulnerable if they haven't installed EuroPay, Mastercard, Visa (EMV) card readers, also known as chip readers.

EMV readers build encryption into each transaction, negating the effect of most card-skimming devices. These are the superior security option to Magstripe card readers (the swiping method), through which thieves can easily harvest card information with their skimming devices.

Ensure That Your Entire Operation is on the Same Page Security-Wise

A culture of data security can help prevent lapses that could allow a breach. It's important to emphasize to every cog in your retail operation the importance of your security practices, explaining to them why measures like encryption have been put in place and that security is a fundamental element in protecting your brand’s reputation.

For example, a strong knowledge of EMV card readers will ensure that no employee allows a customer to swipe their card rather than insert their chip. This could prevent even one customer from being compromised by a card skimmer.

Consider a Security Consultant to Test Your Systems for Weaknesses

Part of the reason that large retailers have been easy marks for data thieves is the fact that a retail operation has numerous moving parts to tend to, and security doesn’t always land atop the priority list. Discounting security is a grave mistake, as customer data protection should now be first and foremost in all retail operations, particularly those with a digital presence.

There's truth in the adage that a fresh pair of eyes can see things that yours might have missed, and bringing in security professionals to either implement or augment your security processes is advisable for this reason. They will surely have suggestions for data-loss prevention (DLP) techniques that you weren't aware of or had simply not considered. Such security experts may also have a more efficient, effective way of dispatching your data security systems.

Also consider that unifying security practices and systems throughout the entire retail operation is critical. It's great that your customers’ information is encrypted, but if your in-house accounting department’s digital records remain vulnerable because of outdated security systems, what have you really accomplished?

We're in the Age of Digital Thievery; Protect Yourself by All Means

The idea that data has become a more valuable resource than oil is supported by hackers tenacity in pursuing customer information by any means available.

As retailers, we have a choice: instead of being paralyzed by inaction in the face of data security threats, we can implement all of the resources at hand to protect our and our customers’ data — encryption, PCI compliance, and EMV card readers as a start. These are first steps in the battle against data thieves, and such firewalls are the front line between your brand’s reputation and the hackers who will stop at nothing to exploit your customers’ data.

John Shin is the managing director at RSI Security, and has 18 years of leadership, management and Information Technology experience. He's a Certified Information Systems Security professional, CISM, and Project Management Professional (PMP).