To honor the Council’s 10th birthday―and just in time for a new retail holiday season― let’s look back on how retail security challenges have intensified over the past decade.
The PCI Council’s inaugural year coincided with one of the first highly public, holiday-season retail breaches when, in December 2006, retailer giant TJX acknowledged that they had been the victim of a major breach, stemming from an insecure wireless network that was easily attacked by cybercriminals. This news both underscored the urgent need for compliance standards as well as highlighted the challenges facing the industry.
Then and Now: What’s Changed in 10 Years?
As these stats show, retailers face a Sisyphean task―trying to protect more and more vulnerable points of entry from ever-growing, sophisticated attacks.
- Compliance went up! Not surprisingly, PCI DSS compliance rates increased substantially in the last decade, from a 12% in March 2006 up to an average 93.4% in 2014 (which is the latest published figures).
- Ecommerce matured. S. ecommerce Q4 sales grew from $30 billion in 2006 to almost $100 billion in 2015, and virtually tripled as a percentage of overall retail sales for the same period. This year, 50% of surveyed consumers plan to shop online and also expect to spend almost half their holiday budget online.
- Smartphones happened. This one feels like cheating since the iPhone wasn’t announced until 2007. By mid-2016, there were 9 billion global smart phone users who are driving the increase of mobile ecommerce.
- Cyber Monday rules. Cyber Monday was brand-spanking new in 2006. Cyber Monday online sales have grown from $610 million in 2006 to $2.3 billion in 2015. (And here comes Singles Day!)
- POS went mobile. Electronic point-of-sale (ePOS) devices weren’t even mentioned in a 2006 RIS News retail technology study. By 2016, retailers are moving past ePOS to mobile POS (mPOS), with 69% of retailers planning to increase the use of mPOS devices in the next two years.
- Attacks took the lead. In 2006, 32% of retail breaches were due to malicious third-party hacking or malware attacks. (An equal number were the result of lost, discarded or stolen devices.) By 2014, third-party and malware attacks caused 83% of tracked breaches. In preliminary 2015 figures, they are trending to 90%.
- Malware exploded. The last decade has seen a malware tsunami wave that keeps growing with no crest in sight. 7,500,000 unique malware samples were recorded in 2006, with almost 600,000,000 in 2016.
- Connectivity still challenges. In 2006, dial-up connectivity was still a thing for retailers. Ten years later, connectivity remains a high priority, but now retailers worry about WiFi connectivity and speed impeding their mPOS rollout.
- Time and retailers ≠ BFFs. The good news is that from 2006 to 2015 the percentage of breaches where ‘time to compromise’/‘time to discovery’ was ‘days or less’ has gone up. The bad news―it hasn’t gone up much. While the trend line indicates a gradual increase from about 15% to just under 25%, it still isn’t a pretty picture.
- PCI DSS made a difference. PCI regulations drive cybersecurity projects and top mPOS list of concerns. In fact, a 2015 Verizon study suggested a “strong correlation between not being PCI DSS compliant and being more susceptible to a data breach involving payment card information.” However, the study continues that “PCI DSS compliance should not be seen in isolation, but as part of a comprehensive information security and risk-management strategy.”
Better Protection through Layered Security
As new forms of consumer payments―such as digital wallets―becoming increasingly popular, hackers will use this information to adapt and find even more ways to infiltrate retailer systems to steal consumer data.
As it is, every month seems to bring news of another retail breach―Vera Bradley and Eddie Bauer were just added to a rogue’s list that includes Target and Neiman Marcus. If companies of this size and stature can be successfully infiltrated, who’s to say that it couldn’t happen to any company that claims to be PCI compliant?
Retailers need to go beyond “compliance” to a layered security approach. Taking a more inclusive approach can―with the right technology and automation―improve security while freeing up time for IT staff to work on more strategic projects. What is included in this layered approach?
- Full 360O visibility. You can’t manage what you can’t see. You need a solution that easily and continually discovers all devices on your network, including servers, laptops, all flavors of POS, kiosks, mobile devices, scanners, and peripherals. It also needs to constantly collect real-time status on all operating details for these devices.
- Consistent anti-virus and anti-malware (AV/AM). Once all devices are visible, you need to ensure that they are protected with AV/AM software. Installing is just the beginning―you need to update systems to ensure they are always running the latest versions. So get a system that makes this easy and automatic.
- Keeping patches current. All devices need to be up-to-date on Microsoft and other 3rd-party patches. Patches and updates can be tested centrally then pushed out to all machines or select groups once they are proven safe. Again, with the right type of automation, you can be confident that all patch updates are successful―and that you’ll get an alert if they aren’t.
- Policy-based configurations. Look for solutions that enable multiple sets of policies to be applied automatically to each device, and that can check that each device is in compliance with its assigned policies. This way, you can standardize and update your entire infrastructure with confidence. Of course, doing this successfully depends on powerful and flexible automation to keep up with multiple policies and update many devices by simply changing a policy once.
- Complete Identity and Access Management (IAM). You already know you can’t use vendor-supplied defaults for system passwords. IAM takes this further by including multi-factor authentication (MFA), which is also a PCI DSS requirement. IAM also includes centralized credential management, policy-based rules, and Single Sign On for end users (including partners―remember how Target was breached!) to keep internal systems protected.
- Policy-based access. You need to be able to create as many policies about access as for device configurations. With these policies in place, you can quickly and completely delimit access to systems and data based on staff’s functionality and job requirements. In addition, you can create policies to require password changes after so many days and/or lockout rules after so many failed login attempts. Location-based rules would control when and where users can sign in―limiting user access, for example, by location such as building, city, country, etc. This can protect against unverified users accessing systems and POS devices.
- Deprovisioning users. Statistically, admins enable more users than they disable. While outside attacks lead the list of retail breaches, it’s only prudent to make sure you have a way to quickly and completely deprovision a user―whether employee, sysadmin, partner, or vendor―from all corporate systems.
- Alerts on usage patterns. You need to be alerted of any potential security breach beyond viruses and malware, including unusual patterns of user behavior or access or suspicious spikes in bandwidth utilization.
- App blocking. Disallowing certain apps―say peer-to-peer apps or Flash―can help keep systems clean and running strong. This also provides another security dimensions since apps that are more vulnerable can be blacklisted to prevent users from installing and inadvertently creating an enticing entry point for hackers.
- Real-time tracking alerts. If a POS device, laptop or server idea leaves a building, you should know instantly where it is once it’s back online.
- Secure/destroy data. Once you know a device has gone out of corporate control, you need to be able to ensure the data on the system is not accessible to malicious players. You need the ability to remotely disable the device, encrypt the data, or even destroy the OS on that device.
- Regular, routine backups. Of course backups are necessary and, in light of PCI compliance, require protection via encryption and access. However, complete and regular backups are also a defense against CryptoLocker and other ransomware attacks.
So, happy birthday, PCI Council! You’ve made a huge contribution to increasing the security of consumer information. It’s not a ding on you if retailers realize they need to think beyond “compliance” in order to maximize protection of their corporate systems and customer data.