With a record year of online shopping expected this holiday season, it's crucial that retailers take the appropriate steps to keep not only their data, but the data of their customers secure. According to the Verizon 2017 Payment Security Report, only 50 percent of retail companies are fully compliant with the Payment Card Industry (PCI) Data Security Standard, the industry standard designed to help businesses that take card payments reduce fraud.
Though retailers did improve overall payment compliance, the industry ranked second to last in compliance, behind key industries including IT services (61.3 percent) and financial services (59.1 percent), and just ahead of hospitality (42.9 percent). PCI compliance is crucial for retailers, especially during peak shopping times like back-to-school and the holiday season. PCI compliance requires companies to reach and maintain a state of compliance that confirms they’re adequately prepared to address and prevent security breaches. Since security is always evolving, keeping retailers PCI compliant is one of the best ways to maintain the safety of important data and information.
Unique Compliance Challenges
As an industry, retailers face many difficult and unique challenges, often making PCI compliance time consuming and difficult to achieve. According to the Payment Security Report, retailers were the least compliant in transmitting card data over unprotected networks, using vendor-supplied defaults, protecting stored card data, and destroying unnecessary hard copy data when it’s no longer needed.
A large contributor to these organizationwide issues is that retailers often have large workforces spread across national locations. This not only makes managing personal devices challenging, but also complicates companywide rollouts of new technology or software. With hundreds of workstations and salespeople, managing and maintaining security precautions such as malware protection can be difficult.
The pressures of business success can also be a cause of noncompliance. Often retailers are operating in tight margins, limiting the budget for operating costs such as IT maintenance. Though this ultimately boosts store revenue, it can often minimalize the focus on security measures and lead to lax data management.
Getting Back on Track With Compliance
It's important for retailers to refocus on achieving and maintaining compliance. During last year’s holiday shopping season, one out of every 97 transactions was a fraudulent attempt, according to ACI Worldwide. Without the proper security measures in place, the large amounts of sensitive data that retailers collect is at risk of being stolen and exploited.
Retail organizations that aren't compliant should follow these steps to become PCI compliant:
- Protect in-store devices. To prevent the theft of physical devices, use available technology such as geo-fencing within stores. From a merchant application perspective, combining multifactor authentication with geolocation and transactional velocity to detect fraudulent transactions before they're accepted adds an extra and much needed level of security.
- Authenticate access. Use multifactor authentication and strong passwords in an effort to prevent unauthorized access to servers or devices (especially those with NFC payment credentials). Additionally, authenticating, authorizing and logging activity for each employee should be implemented so that there's always a trail to follow if something goes wrong.
- Maintain an information security policy. Working to make sure a security policy is in place and widely known amongst the company is essential to maintaining compliance across locations and with employees as well.
It’s also important to note that PCI compliance doesn't necessarily mean that a retail organization is completely secure. Security today requires proficiency — to understand the risks and maintain the capacity, capability and competence needed for data protection — and the resiliency to withstand changes to the environment. Cybercriminals are always improving, learning and working to stay one step ahead of retail security. Therefore, retail stores cannot check the box on compliancy once and then walk away. Constant monitoring of updated regulations and the adoption of technology is essential for the protection of their customers’ important data.
Michele Dupré is group vice president of retail and hospitality at Verizon Enterprise Solutions, a technology solutions provider for retailers and brands.
Related story: How Retailers Can Keep Customers and Companies Secure