By Cheryl McGrath
Vice President and Country General Manager – Canada
Optiv Security
Where has the year gone? The temperature is dropping, the leaves are turning, and the busy holiday shopping season is rapidly approaching. In some stores, it’s already here! For those of us in the world of cyber security, this means one thing: a significant amount of hype and stress around holiday security threats. Spend a little time reading the news and you’ll come across story after story warning consumers about being distracted and vulnerable to attackers and alerting retailers to the impending doom lurking behind a wave of new cyber-attacks designed to steal customer data.
There is an element of truth behind both of these “hype tracks.” But the reality is if you’re a retailer or any other business accepting credit cards and electronic payments, the holiday shopping season should not matter. Just as retailers tend to fully test and lock down their holiday websites in October in preparation for the big rush, payment security should not only be implemented well in advance of the holidays, it should be a standard 365-days-per-year discipline, just like managing inventory or staffing check-outs.
The Payment Card Industry Data Security Standard (PCI DSS) has done a satisfactory job at setting minimum standards relating to payment security, but many organizations incorrectly use it as an entire security framework. Any security framework should be customized to a merchant’s specific risk profile – the business it’s in, the data it stores, the countermeasures it has in place, and the enemies who are most likely to attack. Complying to PCI standards is simply not enough in this threat landscape. Sure, your organization may achieve a minimal level of security by following PCI and similar guidelines, but the truth is this is not enough to secure the very complex world of monetary transactions in today’s connected world.
So, how should merchants go about implementing true payment security in their organizations? In most cases, this requires four steps:
- Establish Your Risk Profile: A website selling hand-crafted saxophone reeds will have a radically different risk profile from a giant retail chain with millions of customers and online, mobile and brick-and-mortar payment channels. The first step to moving beyond PCI DSS and into true payment security is to understand the full extent of your business risk: over what channels are you accepting payment? Where is your data stored? What kind of data are you storing? Who has access to that data? Who is most likely to want to steal that data, and how will they attack? These types of questions provide the vital inputs for developing a strategic payment security strategy that is customized to the merchant’s specific operation.
- Focus on All Points of Sale: Organizations historically have focused on securing in-store and online credit card transactions. For many merchants, today’s security requirements are far broader and require securing data across the entire payment lifecycle – from the store, to online, to intermediaries and banks. There has also been a proliferation in payment channels that merchants must protect, including credit card readers, Square readers, online payments, digital wallets, and more. Understanding your complete array of payment channels, and the entire payment lifecycle, is key to establishing true payment security.
- Optimize Operations: Cyber operations are critical for meeting breach disclosure windows and in minimizing the likelihood of breaches. These competencies are especially important as payments move between consumers, point-of-sale systems, credit card providers and issuing banks. It takes a combination of the right people, processes, and technology in place to form the backbone of an effective payment security strategy.
- Don’t Forget the Network: Protecting against external threats is only half of the solution for payment security. Merchants also must protect against deliberate and accidental insider threats through strong identity and access management, application security, training and awareness programs, and more. Insiders account for nearly half of all data breaches, so it is truly critical to account for this threat vector in any payment security strategy.
With these steps, merchants can go a long way to improve payment security. However, these are not discrete steps – they are ongoing and interrelated, which is why the shopping season really should not be any different from any other time of year. Regardless of the season, you need to understand your constantly evolving risk profile; your points of sale; the state of your operational efficiency and effectiveness; and your internal security.
It’s all-too-easy to get caught in the holiday crush. But if your organization takes security seriously year-round, the holidays should be nothing to fear.