In this blog we explore the challenges around security of payment data during the hectic holiday season and provide tips and best practices to help retailers better secure their payment data.
It has been nearly twenty months since the outbreak of the COVID-19 global pandemic which has had a profound and lasting impact on the retail and hospitality business community. As we slowly begin to emerge from the pandemic, the upcoming holiday season offers both possibilities and potential new threats when it comes to payments.
In this blog, we discuss the challenges of payment security during the busy holiday season with Troy Leach, senior vice president, engagement officer for the PCI Security Standards Council (PCI SSC) and Suzie Squier, president of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC). RH-ISAC is an organization that creates a secure place for retailers to share cybersecurity information and intelligence to not only better protect their own companies, but also strengthen the entire retail sector.
Why is awareness of protecting payment data so important for the retail industry?
Suzie Squier: We know that threats to cybersecurity have emerged as one of the biggest risk factors for our industry and impacts retailers both big and small. Multiple reporting sources show retail being in the top 5 most targeted industries for cyber criminals With the chaos created by the global pandemic, the number of serious critical vulnerabilities we’ve seen from 2020 to 2021,and the prolific rise in ransomware, the threats are growing, so it is important to take steps now to educate retailer owners and employees on how to better protect their business. Cyber criminals know that retailers are juggling a lot of challenges and have time and resource limitations. Retailers all across the globe are making cybersecurity an important priority. Our mission at the RH-ISAC is to help retailers better understand the threat landscape and offer best practices and guidance on how to be better secure their organizations.
Why is the holiday season a potential risk for retailers?
Suzie Squier: The holiday season is the busiest time of the year for the retail and hospitality community, and it can be overwhelming. It is the busiest time of the year for retailers and a time when system availability is most important. Criminals know this and often increase their attacks dramatically on businesses at this time of year. In some cases, cyber criminals have identified vulnerabilities in the payment system of a business and have waited for months until the holiday season to exploit it. They are betting that the hectic holiday season serves as a distraction.
A recent forecast by the Adobe Digital Economy Index1 predicts that the 2021 holiday season will break records for online shopping spending. The index predicts a 10% jump in online holiday sales over 2020, and global holiday online spending is projected to be $910 billion during the holidays. In fact, it is estimated that online spending will top $4.1 trillion in all of 2021, setting a new e-commerce milestone. Those statistics present tremendous opportunities for businesses and attractive targets for criminals.
Download the Adobe Holiday Forecast 2021 report.
What tips and best practices should retailers be aware of during the busy holiday season?
Troy Leach: There is a lot a business can do to better prepare themselves for the intense holiday season. It is best to prepare in advance rather than wait to address payment security once the holiday shopping season is in full swing. Some helpful tips include:
- Be alert – Be on notice that attacks could happen. Understand this is the time of year when criminals like to attack. Too many businesses do not even think of themselves as being a potential target, assuming only large enterprises are at risk. Today, businesses of all sizes need to take payment security seriously. The attacks are most often automated and do not discriminate on the size of the organization. Know what threats are out there and work to implement best practices to defend against them.
- Patching – This has made headlines in recent years with several data compromises as a result of not updating to the newest version of software. Patches fix known vulnerabilities, vulnerabilities that are also know to the criminals. Stay up-to-date on the latest patches that are available for known vulnerabilities. Do not put off patching until after the holiday season. If you have a vulnerability, after the holidays will be too late. The criminals are counting on you to put this off until next year, make it a priority now before it gets super busy.
- Authenticate Access – Pay particular attention to third party connecting to your payment data system, the privilege level of that access and removing access when no longer needed. A common point of compromise is when legitimate remote support access is left on after the service has been completed. Monitoring access activity and vigilance in keeping access rights is a necessity in today’s world. You should remove default passwords, leverage multi-factor authentication (MFA) and know at all times who has access to your payment systems.
- Inspect Payment Devices Regularly – For in-store payment devices, have employees inspect point-of-sale payment terminals every day as skimming devices could be added in a matter of seconds. A good practice is to inspect the terminals at the beginning and end of each shift. Enlist the help of your employees who are the front line of defense against point-of-sale terminal tampering. Additionally, retailers should ensure that they have endpoint detection systems deployed to all devices that are attached to card payment processors. They should also make sure the network the payment card processing device is attached to is well protected and secured.
- Train your temporary employees – The busy holiday season is a time when many employers hire additional, temporary staff. Take time to make sure your temporary workers are well trained on good payment security practices both in-person and on-line and are on guard for fraudsters during this hectic season. Teach them on the likely signs of social engineering and share visual examples of what a compromised terminal may look like.
Where can businesses get more information about ways to better secure their payment data?
Troy Leach: The PCI SSC has devoted a lot of time and effort to developing free, dedicated resources designed to help merchants like those in the retail industry to better understand the threats they face and the good security practices that can help them to better protect themselves and their customers. Earlier this year we developed a Back-to-Basics series which shares payment data security best practices on a range of topics. This was based upon feedback we received from our global stakeholders and can serve as a valuable resource to reminding businesses about some of the fundamentals of payment security. The PCI SSC has also developed content highlighting looming threats that every business should be aware of and on alert for during the holidays.
For more information please check out some of our dedicated resources for merchants:
- PCI Perspectives Blog
- PCI SSC Website Merchant Resources
- Guide to Safe Payments
- 8 Tips for Small Merchants: Protecting Payment Data During COVID-19
Suzie Squier: Likewise, RH-ISAC has put together materials designed to help those in the retail industry better understand cybersecurity threats and provide helpful best practices. Our blogs, podcasts and other resources offer tremendous guidance and resources to our members. Those resources represent a great starting point for retailers who are looking for assistance when it comes to implementing good cybersecurity practices.