According to a July 2018 Fortune article, “more than 90% of the login traffic of online retailers actually comes from hackers using stolen login data.” Last year, “1.4 billion passwords were hacked, leaked, and dumped into an online document that circulated the information for hackers to reuse.”
What can your retail company do to secure itself from in-store and online shopping security risks?
Follow the Industry Standard
Any business that handles credit cards should be aware of the industry standard known as the Payment Card Industry Data Security Standard (PCI DSS). According to Leonard Wills and the American Bar Association, the information security standard “applies to all entities that store, process, or transmit cardholder data.” Many states and European countries require compliance to prevent a data breech.
So how can you begin to address these requirements?
PCI DSS consists of twelve requirements:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
PCI DSS suggests that firewalls – a security device used to stop unauthorized access to private networks connected to the Internet – be used on all connections in and out of the network and be configured for inward and outward traffic as well as different wireless networks. There are two ways to set up a firewall: buy a self-contained router which includes firewall features, or have a server computer to function as a firewall computer.
In addition, there should be no direct contact between the system components holding cardholder data and the internet.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
According to PCI DSS, “Cyber criminals often make use of vendor-supplied default passwords and settings to extract sensitive information.” Disable such passwords and settings before a system is installed on a network.
Protect Cardholder Data
3. Protect stored cardholder data.
In an effort to reduce online shopping security risks, PCI DSS suggests not holding customer data “unless it’s necessary to meet the needs of the business.” If it is necessary to hold customer data, limit the duration and purge it at least quarterly. PCI DSS also suggests never storing sensitive data on a chip or magnetic stripe.
4. Encrypt transmission of cardholder data across open, public networks.
PCI DSS recommends encrypting transmission of cardholder data across open public networks (which cyber criminals may readily intercept) because it makes transmitted data “unreadable by any unauthorized person.” They suggest using “strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open.” A website can have a certificate for one of these protocols installed and then, according to f5, “the certificate enables the client and server to securely negotiate the level of encryption.”
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs.
Retailers have a responsibility to prevent hacker and protect cardholder data from a data breech. PCI DSS suggests applying vulnerability management – “the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system” to do this. One way you can do this is to regularly update anti-virus software and make sure the software is working and continuously running.
6. Develop and maintain secure systems and applications.
Despite precautions, vulnerabilities may still exist. PCI DSS notes many can be eliminated by installing vendor-provided security and software patches, “which perform a quick-repair job for a specific piece of programming code.” Subscribe to any vendor notifications of patch availability so you’re aware of these as soon as they are released.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
While certain employees in a retail business need access to cardholder data to perform their jobs, PCI DSS says, “systems and processes must be in place to limit access based on need to know and according to job responsibilities.”
You should determine who needs access based on your organizational structure. Those employees who are who are given access should be assigned a unique identification so that access activity can be tracked. In addition, hard copies of data should be restricted by maintaining them in a secure place to prevent hackers in retail.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
Without logs, discovering a breach is more difficult. According to PCI DSS, “… logs in all environments allow thorough tracking and analysis if something goes wrong.” The recommended way to do this is by automating “the access tracking procedure.”
11. Regularly test security systems and processes.
To prevent hackers who are constantly on the prowl, retailers should regularly test security systems and processes. “Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations,” says PCI DSS. To test the systems and processes, you can utilize an outside vendor to run internal and external network vulnerability scans.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel.
You should have data breech prevention policies in place, like any other workplace policy. When such a policy is in place and is shared, employees act with certainty. According to PCI DSS, a security policy “sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security.”
|Back to Top