Retail and cyber security

As new research shows that the retail sector was targeted more than any other in cyber attacks in 2017, it is time for retailers to up their game when it comes to dealing with these organised attackers.

The most common way to compromise retail systems was phishing and social engineering, followed by malicious insiders and remote access. Payment-card data continues to be highly attractive to fraudsters, with the retail sector the key target for criminals, followed by finance and insurance and then hospitality.

Payment-card security has come a long way from the days of manual imprinters and signatures. The bad news is that security threats have also come a long way from someone physically stealing your card and copying your signature. Even though both chip and PIN and 3D secure (known as Verified by Visa and Mastercard SecureCode) were significant steps forward in the fight against fraud, they were, sadly far from the end of the battle, let alone the war.

In the earliest days of payment cards, security was essentially a physical matter. To begin with it was about cardholders keeping their cards safe and retailers checking signatures. As POS (point of sale) machines grew more sophisticated, it also grew to be about protecting them both from physical tampering and from online compromise.

Next, the arrival (and phenomenal growth) of the internet made online data security a major issue and, by the early 21st century, online fraud had reached crisis point for the payment-card industry. It was do or die for them, since their desire to become a key part of what was shaping up to be a very lucrative marketplace (i.e. ecommerce) was only ever going to be fulfilled if consumers had confidence that they could use their payment cards safely online.

So, the payment card industry introduced both PCI/DSS (or at least brought it into the form we know today) and 3D Secure, both of which made life a whole lot harder for fraudsters – from a technical perspective. Unfortunately, neither protocols nor new technologies in and of themselves will protect against compromise through a human backdoor, which is why fraud is increasingly making use of human agents, duped or otherwise.

Although it is still important to make use of all physical and technological defences against fraud, the next frontier in the fight to ensure end-to-end payment security both online and offline is to stop up the human security loopholes.

Recruitment is the first stage in this process and possibly the reason why retail has the highest level of security breaches is because it has traditionally been an environment which has relied heavily on short-term employees for peak periods.

Having said that, it should be remembered that by no means all security breaches come about as a result of the actions of lower-level staff. Higher level staff can be, and indeed are, targeted, which is why ongoing education is vital to long-term security. Additionally, insecure websites and inadequate action against phishing activities leave retailers at risk, so staff training as well as upgraded technical security should be considered by all online and offline retailers.