(6 min read)
The holiday shopping season is a target rich environment for cyber criminals. The world saw this reality unfold at the end of 2013 when Target’s point of sale system was compromised by malware, and the personal and financial information of customers was stolen between Nov. 27 and Dec. 15 – the busiest shopping days of the 2013 holiday season. Target publicly acknowledged the breach on Dec. 19, and by Christmas, transactions at Target for the same period had fallen about four percent from the prior year.
The Target breach and many others sounded the security alarm for retailers. Since then, retail organizations have made advancements and investments in security. Still, this year’s Verizon Data Breach Investigation Report showed denial of service, payment card skimmers, and vulnerable web / e-commerce applications were responsible for 75 percent of security incidents reported by retailers.
As the countdown to Black Friday and Cyber Monday shopping continues, here’s a short checklist of cyber security tips for retailers to help them ensure they are ready for shoppers on foot and online.
1 – Comply with data privacy laws and regulations
The EU started enforcing the General Data Protection Regulation (GDPR) on May 25, 2018. This regulation focuses on how personal data is collected, protected and retained. It applies to any organization operating within the EU as well as organizations outside the EU doing business with individuals or organizations within the EU. Sparked by the GDPR, 42 U.S. states as well as other countries around the world have initiated data privacy legislation. Implementing a GDPR awareness solution specifically designed for retailers can help educate staff that has direct interaction with the customers, whether online or face-to-face on how to better protect personal information.
2 – Train employees
Employees can either be the weakest link or the first line of defense in an organization’s security posture. Untrained and unprepared employees are a main vulnerability for businesses. They don’t behave with security being top of mind, and can more easily fall victim to phishing schemes, pretexting, or careless behavior resulting in the theft of equipment with sensitive information. Organizations that implement security awareness training programs can motivate employees to function with a security mindset and become an organization’s first line of defense in a cyber attack.
3 – Implement chip systems for point of sale transactions
In the wake of the Target breach, U.S. retailers more aggressively moved to implement the EMV® payment system that uses credit and debit cards with embedded chips requiring a PIN or signature to complete the transaction. This eliminates using the traditional magnetic stripe, which fraudsters can clone more easily. According to EMVCo, the global technical body made up of representatives from the major card issuers that facilitates the EMV® specifications and testing processes, 41 percent of U.S.-based card-present transactions in 2017 were EMV. And Visa reported U.S. fraud losses at chip-enabled merchants fell 75 percent.
4 – Check your site for malicious codes
With chip cards helping to curb data compromise at the point of sale, fraudsters are turning to new ways to capture your personal information during online, card-not-present transactions. Earlier this month Brian Krebs wrote about how bad actors are compromising e-commerce sites with malicious code. Within the piece, Krebs cites a security vendor that suggests this is how British Airways was breached and another vendor that said it saw 250,000 of these incidents in September alone.
5 – Offer multi-factor authentication for customers’ online accounts
Consider multi-factor authentication (MFA) for your customers to help reduce online fraud. The retail industry and the National Cybersecurity Center of Excellence are publishing guidance for using MFA during online transactions. If contextual parameters are out of scope, customers must provide an additional factor, such as a one-time password or a fingerprint, to complete the transaction.
6 – Check your POS terminals and network
Routinely audit loosely staffed payment terminals at self-checkouts and in department stores to ensure skimmers haven’t been attached to clandestinely capture sensitive information. It’s also a good idea to regularly check your in-store Wi-Fi network for rogue devices a bad actor may have installed.
7 – Encrypt the data
Even if you’ve done everything possible to prevent customer data from compromise, bad actors are always evolving their strategy and tactics. If you encrypt the data, no matter where it resides, it will stay protected even if the cyber criminals gain access to it.
Refresh your security awareness program by taking advantage of these valuable cyber security resources:
Free Webcast: Five Steps to Masterminding an Effective Security Awareness Program
Watch this webcast and learn how customers are leveraging the proven 5-step security awareness framework to design programs that deliver measurable improvements in security.
The Human Fix to Human Risk eBook
Download “The Human Fix to Human Risk,” to learn about Terranova’s simple five-step framework for implementing a comprehensive security awareness campaign that effectively changes employee behavior.