Make sure the bad guys don’t get what they’re hoping for this Christmas
Published: Oct 19, 2017
Author: Rodolphe Simonetti
It’s approaching that time of year again. Summer is over and the festive season is just around the corner. This period is crucial to many retail and hospitality businesses, and they are crossing their fingers that 2017 will be a bumper year.
Whatever this holiday season brings, one thing is for sure, a significant portion of consumer spending is likely to be done online. Ecommerce represented 8.2% of retail sales in the US in the fourth quarter of 2016, amounting to over $100 billion1, and the trend is ever upwards.
Shopping on mobile devices is also rising in popularity, and purchases now often involve multiple devices. A consumer might research a purchase on their laptop, check availability on their smartphone, and pay using their smartwatch.
With the shift towards omnichannel retail experiences, it’s important that businesses keep customer data, including payment card data, secure across devices and channels.
The evolution of card security
Credit and debit cards have been around since the 1950s and 1970s, respectively, and over the years various security measures ranging from holograms to sophisticated electronic features have been added. These measures have made it harder to use stolen cards and create counterfeit cards. But criminals haven’t just given up. They’ve shifted their attention towards Card Not Present (CNP) attacks. These include transactions made over the phone or online—the latter being a particular target, driven by the rapid rise of ecommerce.
To address this growing form of crime, card brands are experimenting with a number of new card features. These include cards that have an electronic display, generating a new code every 30 seconds. So far, the only one to have made it to widespread use is 3D Secure—a form of two-factor authentication. When an online transaction is attempted, the cardholder is presented with an additional form asking for a password—if they haven’t created one yet they must enter additional personal information, like date of birth, to create one.
As well as changing cards, issuers are looking at how fraud detection can be improved. This has the benefit of being invisible to the user, so it won’t put them off making transactions. One promising method is using location data from the user’s smartphone to verify that they are where the transaction is happening. If not, the transaction can be blocked or additional verification requested.
But adding security measures is just part of the answer. Retailers must make sure that they have robust security measures in place. Otherwise your customers’ data may be left vulnerable—and a data breach could ruin anyone’s Christmas.
Protecting data during and after the transaction
Retailers need to protect data during the transaction, after payment is made and when it’s stored. Our top recommendations for retailers are:
- Be vigilant for evidence device tampering. You should be conducting regular checks of all devices which capture payment data. This should include training employees to recognize signs of tampering. And make sure that devices are stored securely when not being used.
- Encrypt data using the latest, more secure, methods. Websites and apps should be built using secure coding techniques and use the latest version of TLS. For in-person payments, point-to-point encryption (P2PE) protects data from the point-of-sale (POS) until it reaches a secure decryption environment.
- Make sure you, and any third parties processing your customer’s payment cards, have robust identification and access policies. This includes changing all default passwords, using strong authentication and making sure that users don’t share accounts. You shouldn’t keep any more data than you absolutely need, keep it longer than you need to, or give anybody access unless they need it to do their job. All simple security hygiene, but it’s amazing how many companies get these basic things wrong.
- Invest in your employees. They can be your greatest asset or your biggest weakness. Provide them with training so they can identify threats and raise the alarm, and monitor and measure the effectiveness of security controls. This is crucial to building a sustainable control system, one that stays effective as the company and the threat landscape change.
Our research has found that cyberattacks target businesses of all sizes, and just one data breach could have a long-lasting impact on your company’s reputation. If you want to reduce the chances of it happening to your organization, PCI DSS compliance can help. It covers all the above security measures, and many more.
Being compliant with PCI DSS doesn’t guarantee protection, but it goes a long way. Of all the payment card data breaches that the Verizon Threat Research Advisory Center (VTRAC) team has investigated since 2010, not one organization was 100% compliant when the breach occurred.
Keeping customer data safe isn’t just about passing a test once. Your security controls are being tested every day, and they need to be both robust and resilient. Customers put their trust in you every time they make a purchase. Don’t let them down.
For an in-depth look at payment security and PCI DSS compliance, read the Verizon 2017 Payment Security Report.
| Rodolphe Simonetti is the global managing director for the Security Assurance Consulting unit at Verizon. He currently leads a team of 170 resources spread across 20 countries. Rodolphe coordinates all security assurance services from simple assessments to complex programs within a global environment. Security Assurance Services include Governance Risk and Compliance (GRC), Payment Card Industry (PCI), Healthcare (HIPAA), Industrial Control, Internet of Things (IoT), Penetration Testing, Code Reviews as well as Hardware, Software and Solutions testing and certification (ICSA Labs). |
1 US Department of Commerce, Quarterly Retail E-Commerce Sales, August 2017.
[CS1] Link to PSR: Reputations blog