When it comes to store security, shoplifters and shifty employees are only part of the problem. Retailers also need to protect themselves from cybercrime, writes Graeme Pyper.
There’s a new calibre of security standards Australian retailers have to tackle. Shoplifters and shifty employees are only a part of the problem, with stores just as likely to have their data stolen by malicious hackers than experience physical theft.
While many retailers are prepared for in-store theft with CCTV, alarms and security tags, when it comes to cybersecurity they are underprepared. According to Queensland Police, cybercrime now costs Australia over $4.5 billion annually, nearly double the estimated $2.4 billion in stolen goods and stocktaking errors, and is only set to rise.
Retailers must be aware that the effects of a data breach can be worse than they think. Gemalto’s Customer Loyalty Report revealed that a majority of Australians (58 per cent) would stop shopping with a retailer who experienced a breach, and a staggering 72 per cent would cease using companies if their financial and sensitive information, including card details, banks accounts or passwords, were compromised. If a retailer experiences a breach, it doesn’t just impact their reputation; it can influence their bottom line.
To help Australian retailers more effectively manage their data, the Payment Card Industry Security Standards Council is helping businesses understand how to store and handle their customers’ payment data with its Data Security Standard, or PCI DSS. This standard helps businesses process card payments securely and reduce card fraud. Previously regarded as ‘best practice’, the guidelines became mandatory in February, carrying with them legal and financial repercussions for failing to comply.
While PCI DSS may seem like yet another round of regulations to comply with, it is an essential one that all retailers should follow. For those that aren’t compliant yet, below are some simple steps.
1. Build and maintain a secure network
To do this, a retailer should install and maintain a firewall to restrict access to, and protect, data. It’s also crucial that products do not use vendor-supplied defaults for system passwords and other security parameters, as these are easily accessed.
2. Protect cardholder data
Only the absolute minimum amount of cardholder data should be stored and certain data—such as the card chip or magnetic strip, the card verification number (CVN) or the personal identification number (PIN)—should never be stored.
When and where data is stored, solutions such as encryption, masking and hashing must be implemented. Without access to the proper encryption keys, encrypted data will be unreadable and unusable by hackers, even if it is stolen.
3. Maintain a vulnerability management program
Antivirus software must be used on all systems and be constantly maintained and kept running to ensure systems are protected.
While many security vulnerabilities are quickly patched by software vendors, it’s also crucial that retailers ensure these are installed as soon as possible—the longer it takes, the higher the chance that an attacker will be able to exploit the vulnerability.
4. Implement strong access control measures
To prevent unauthorised access to data, systems should deny all access to employees by default. Only ‘need to know’ staff, such as accountants or HR, should be able to access personal data. To make this easier to enforce, all users should be assigned a unique ID, which lets a business see if anyone is attempting to access unauthorised data. In addition, multi-factor authentication must be used for internal and remote network access.
5. Regularly monitor and test networks
Logging mechanisms must be implemented to track potential data breaches. These audit trails link individual users and log their actions, highlighting things such as accessing cardholder data or the deletion of files. As new vulnerabilities are regularly found and exploited, it is essential that system components, processes and custom software are regularly tested to ensure they are secure, as well as installing all patches quickly.
6. Maintain an information security policy
Finally, businesses must establish and maintain a security policy, which is periodically updated according to the changing risk environment. Organisations should also implement an incident response plan so they can respond immediately to any system breach.
These steps apply specifically to PCI DSS, but they go a long way in ensuring a retailer is compliant for the broad range of data regulations, like NDB (Notifiable Data Breaches) and GDPR (General Data Protection Regulation), which are now in place.
Protecting customer data is essential to maintaining relationships and continued support from a retailer’s consumer base. Without trust, particularly with information as sensitive as payment details, a company’s bottom line can erode.
Graeme Pyper is regional director ANZ at Gemalto.
Sign up to the RetailBiz newsletter.