It has been nearly twenty months since the outbreak of the COVID-19 global pandemic which has had a profound and lasting impact on the retail and hospitality business community. As we slowly begin to emerge from the pandemic, the upcoming holiday season offers both possibilities and potential new threats when it comes to payments.
On this blog, we discuss the challenges of payment security during the busy holiday season with Troy Leach, senior vice president, engagement officer for the PCI Security Standards Council (PCI SSC), and Suzie Squier, president of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).
Why is awareness of protecting payment data so important for the retail industry?
Suzie Squier: We know that threats to cybersecurity have emerged as one of the biggest risk factors for our industry and impacts retailers both big and small. Multiple reporting sources show retail being in the top five most targeted industries for cybercriminals. The increased number of critical vulnerabilities and the prolific rise in ransomware demonstrate how cyber threats are growing, so it is important to take steps now to educate retailer owners and employees on how to better protect their business. Cybercriminals know that retailers are juggling a lot of challenges and have time and resource limitations. Retailers all across the globe are making cybersecurity an important priority. Our mission at the RH-ISAC is to help retailers better understand the threat landscape and offer best practices and guidance on how to be better secure their organizations.
Why is the holiday season a potential risk for retailers?
Suzie Squier: The holiday season is the busiest time of the year for the retail and hospitality community, and it can be overwhelming. It is the busiest time of the year for retailers and a time when system availability is most important. Criminals know this and often increase their attacks dramatically on businesses at this time of year. In some cases, cybercriminals have identified vulnerabilities in the payment system of a business and have waited for months until the holiday season to exploit it. They are betting that the hectic holiday season serves as a distraction.
A recent forecast by the Adobe Digital Economy Index predicts that the 2021 holiday season will break records for online shopping spending. The index predicts a 10% jump in online holiday sales over 2020, and global holiday online spending is projected to be $910 billion during the holidays. In fact, it is estimated that online spending will top $4.1 trillion in all of 2021, setting a new e-commerce milestone. Those statistics present tremendous opportunities for businesses and attractive targets for criminals.
What tips and best practices should retailers be aware of during the busy holiday season?
Troy Leach: There is a lot a business can do to better prepare themselves for the intense holiday season. It is best to prepare in advance rather than wait to address payment security once the holiday shopping season is in full swing. Some helpful tips include:
- Be alert – Be on notice that attacks could happen. Understand this is the time of year when criminals like to attack. Too many businesses do not even think of themselves as being a potential target, assuming only large enterprises are at risk. Today, businesses of all sizes need to take payment security seriously. The attacks are most often automated and do not discriminate on the size of the organization. Know what threats are out there and work to implement best practices to defend against them.
- Patching – This has made headlines in recent years with several data compromises as a result of not updating to the newest version of software. Patches fix known vulnerabilities, including those that are also known to criminals. Stay up-to-date on the latest patches that are available for known vulnerabilities. Do not put off patching until after the holiday season. If you have a vulnerability, after the holidays will be too late. The criminals are counting on you to put this off until next year, make it a priority now before it gets super busy.
- Authenticate Access – Pay particular attention to third-party connecting to your payment data system, the privilege level of that access and removing access when no longer needed. A common point of compromise is when legitimate remote support access is left on after the service has been completed. Monitoring access activity and vigilance in keeping access rights is a necessity in today’s world. You should remove default passwords, leverage multi-factor authentication (MFA) and know at all times who has access to your payment systems.
- Inspect Payment Devices Regularly – For in-store payment devices, have employees inspect point-of-sale payment terminals every day as skimming devices could be added in a matter of seconds. A good practice is to inspect the terminals at the beginning and end of each shift. Enlist the help of your employees who are the front line of defense against point-of-sale terminal tampering. Additionally, retailers should ensure that they have endpoint detection systems deployed to all devices that are attached to card payment processors. They should also make sure the network the payment card processing device is attached to is well protected and secured.
- Train your temporary employees – The busy holiday season is a time when many employers hire additional, temporary staff. Take time to make sure your temporary workers are well trained on good payment security practices both in-person and online and are on guard for fraudsters during this hectic season. Teach them the likely signs of social engineering and share visual examples of what a compromised terminal may look like.
Where can businesses get more information about ways to better secure their payment data?
Troy Leach: The PCI SSC has devoted a lot of time and effort to developing free, dedicated resources designed to help merchants like those in the retail industry better understand the threats they face and the good security practices that can help them to better protect themselves and their customers. Earlier this year we developed a Back-to-Basics series that shares payment data security best practices on a range of topics. This was based upon feedback we received from our global stakeholders and can serve as a valuable resource to reminding businesses about some of the fundamentals of payment security. The PCI SSC has also developed content highlighting looming threats that every business should be aware of and on alert for during the holidays.
For more information please check out some of our dedicated resources for merchants:
- PCI SSC Blog
- Resources for Small Merchants
- Small Merchant Guide to Safe Payments
- 8 Tips for Small Merchants to Protect Payment Data
- Holiday Season Cybersecurity
Suzie Squier: Likewise, RH-ISAC has put together materials designed to help those in the retail industry better understand cybersecurity threats and provide helpful best practices. Our blogs, podcasts, and other resources offer tremendous guidance and resources to our members. Those resources represent a great starting point for retailers who are looking for assistance when it comes to implementing good cybersecurity practices. Additionally, RH-ISAC members can access numerous resources on our Member Exchange portal.