Testing, Testing, Testing
Whether a retailer has directly experienced a data breach or watched the fallout from afar, chains industrywide still get chills when they hear details about the latest data theft. While retailers struggle to stay one step ahead of the hackers, there is hope. And this comes from constant internal testing.
I think it is fair to say that a majority of retailers have made it a priority to encrypt data and comply with PCI DSS (Payment Card Industry Data Security Standard). But it is not as if retailers had a choice.
The four major credit-card companies imposed the standard to protect cardholders against the misuse of their personal information. Retailers that weren’t validated by the late 2007 deadlines were subject to steep fines that, in some cases, reached $25,000.
While achieving PCI compliance is clearly important, the steps that retailers need to take to achieve data security run much deeper.
Here is the big picture: The PCI standard is just that—a standard. It is not a security measure. Just look at the fallout from the recent breach at Forever 21.
Forever 21 announced in September that its systems were illegally hacked sporadically in 2004 and 2007. Approximately 98,930 credit- and debit-card numbers were compromised.
On the upside, more than half of the lifted card numbers were no longer active. Hackers were after credit- and debit-card numbers and expiration dates, not customer names and addresses.
The retailer claimed it had been in compliance with PCI DSS since 2007 (a point that continues to be debated in the media), but that didn’t stop the chain from adding additional proactive security measures and regularly monitoring systems for intrusions after realizing the breach. It’s too bad they didn’t do more stringent testing sooner.
Cyber-thieves continue to target consumers’ personal data, and they are still using the same methods of retrieval: e-commerce sites, point-of-sale devices, gas pumps and ATMs. Consultants and freelancers, the masterminds behind inside jobs, simply use fake credentials to gain network access.
In Forever 21’s case, the hackers reportedly gained entry through a weakness in the data center. By the time Forever 21 was alerted to how they grabbed the sensitive data, it was too late.
That said, it is time to take ownership when creating security. There is no better way to establish this ownership than by stepping up and putting yourself to the test. Regularly testing for vulnerabilities, that is.
Data touches innumerous retail systems and nothing is immune to an attack. That’s why retailers need to have weekly and monthly “fire drills,” or staged attacks revolving around internal and external encryption, firewalls and virtual private networking.
Don’t be put off by failures. Detecting process breakdowns—and expertly fixing them—could make all the difference between thwarting a hack, and falling victim to one.
Please don’t misunderstand me. These hints are not the silver bullet to beating the bad guys. Hackers grow smarter by the day, and the industry struggles to stay one step ahead. Chains can no longer view security measures simply as a means to achieving some level of “compliance.”
Rather, it is the retailers that take a proactive, foundational approach that will find themselves with a much lower risk proposition.