PCI Compliance

Since the rise of the credit card, consumers have found ease in the simplicity of swiping, putting cash next to extinct in comparison. However, modern day shopping has become such a normality that consumers often forget the risk in transferring such sensitive information so frequently. Attackers are especially known to take action during prime time seasons for shopping, when consumers triple their normal expenses. In fairness, retail breaches don’t just directly affect the pockets of consumers, but also jeopardize the security of merchants nationwide. But can merchants play a big enough role in prevention to assume responsibility for a breach? Who else plays a significant role to ensure that the risks of breaches are minimal by implementing secure technologies? Perhaps the industry mandating regulations for retailers are not living up to their side of the bargain.

Luxury designers, such as Hermes, a French manufacturer in high-end clothing, are beefing up their physical security systems instead of investing in cybersecurity. These physical security systems have software that integrates with their existing infrastructure, making ‘monitoring’ more efficient. But has the software that runs on these physical security systems been tested for vulnerabilities before implementation? Having physical security systems in place has its advantages; however, thieves are no longer breaking in the front door. High-end retailers like these should be spending revenue on their cybersecurity infrastructure rather than ‘high-end’ security systems.

According to a report made by Hewlett Packard and the Ponemon Institute of Cyber Crime, surveys from 250 organizations worldwide comprised of 2,000 executive members, determined that cyber-attacks affected all industries and markets. It is also significant that cyber-attacks costs the average American firm $15.4 million per year, which doubles the global average of $7.7 million. Point-of- sales (POS) systems are the primary targets of attackers in the retail industry, and once compromised, they are known to leak sensitive information, such as customer credit card information and personal data. Are these POS devices assessed periodically, along with the rest of their networks?

Recently, popular fast food chain Wendy’s experienced security threats in many of its franchise locations, causing major concern for the leak in sensitive consumer data. Details provided evidence that malware was found on their POS systems, which occurred due to a third-party vendor credential compromise, which was detected when banking institutions and credit unions identified a spike in customer debt months prior to the public disclosure. Hackers were able to side-step PIN security features using payment card automated systems by providing customer information, such as date of birth, social security numbers and expiration dates. The vast majority of this sensitive data was likely stolen by the malware. The automated system feature is also a concerning flaw in the card processing system. Hackers also exploit automated systems to reset PIN numbers in attempt to counterfeit debit cards and withdraw cash. Reports suggest the financial consequence of the Wendy’s breach amounted to significantly more than prominently known debit card account hacks, such as those seen in Target and Home Depot recently.

Card readers nationwide are now expected to use the ‘chip’ feature to switch from outdated swiping, which was mandated by the payment card industry last October. However, you may have noticed that many chip readers are still under construction. Chip readers must be certified before they can be used for operation; nevertheless, the problem is that there is a shortage in technicians to certify these systems. What makes the situation more unfair is that merchants are responsible if they experience credit card counterfeit even if the chip reader is ready for production but not yet certified. In a nutshell, the payment industry set guidelines, mandated a cutoff date, but continues to be unable to certify merchants; leaving the merchant responsible if they experience credit card fraud.

The information provided is proof the retail industry is lacking thorough cybersecurity programs, as many retailers within the industry have suffered repercussions due to a lack of investment in proper security measures. While physical security measures should be put in place, the risks of not advancing comprehensive cybersecurity programs are usually more damaging. When implementing new technology in existing infrastructure, companies should assess the technology for flaws and the vendor’s commitment to maintaining a secure program in house. The security measures a vendor uses to protect data and respond to breaches should be understood as well. Retail companies should be taking major leaps to ensure that they are constantly enhancing their cybersecurity programs, as hackers are continuously developing new technology to undermine modern day security. It is evident that personal data leaks and financial fraud are substantially more likely to occur rather than physical theft in the modern world, and it is devastating when retailers are unaware of a major breach. In the end, strengthening the security of a brand ensures customers that you value their business.