Preventing the Common Lot of Retail ‘Breachiness’

Hardly a month goes by without a media report of another security breach in the retail industry. Target, eBay, Neiman Marcus, The Home Depot, Jimmy John's, Dairy Queen — the list of large retail and restaurant chains that were exposed to cyberattacks within recent years is unprecedentedly long. A retail data breach isn't only large scale in terms of people affected, but also in breach cost as well. The August 2013 Nilson Report marked an almost sixfold increase in credit card fraud cost since 2000, and that figure is expected to keep growing.

The tendency toward "breachiness" is easily proved by numerous Verizon Data Breach Investigations Reports. Payment card data remains one of the easiest types of data to convert to cash, and thus is the preferred choice of criminals. This poses a clear danger for IT departments, considering 74 percent of attacks on retail, accommodations and food services companies target payment card information. As a result, organizations tend to suffer from monetary losses (e.g., huge unplanned investments into IT security or fines for noncompliance), drops in profit, litigation, reputation damage and diminished customer loyalty.

What primarily raises concerns among authorities, business owners and their customers is the alarming ease with which cyber criminals are able to gain access to sensitive information that's held by retailers. Despite an obligation to comply with PCI DSS, only 11 percent of the companies managed to meet all 12 requirements of the standard, according to the 2014 Verizon PCI Compliance Report. That means that almost 90 percent of companies left the door open and provided opportunities for a data leak.

The main problem revealed itself when Verizon's report found that companies don't see compliance as a continuous process, rather treating it as a one-off annual duty falling off the requirements radar once they're achieved. Despite increased attention toward strengthening overall security, organizations still struggle to streamline compliance. According to the 2015 Verizon PCI Compliance Report, not a single company was fully compliant at the time of their breach. However, meeting compliance requirements doesn't prevent a security breach, but being secured can prevent falling out of compliance.