5 Security Controls Ecommerce Retailers Should Proactively Assess to Prepare for PCI DSS 4.0
February 22nd, 2021
Subscribe to our blog and stay up to date
The COVID-19 pandemic ravaged on-premise retail, as physical stores around the world were shut down for months and faced severe restrictions upon reopening in order to maintain a safe shopping environment. But the absence of brick-and-mortar retail opened a new window of opportunity for retailers: a mass pivot to ecommerce shopping.
According to Digital Commerce 360 US Consumers spent $861 billion online in 2020, an increase of 44 percent year over year. In 2019, ecommerce amounted to 15.8 percent of total retail sales. That jumped to 21.3 percent in 2020, representing the largest jump in ecommerce sales ever recorded. The increase in online shopping resulted in an additional $175 billion in revenue in 2020, while sales through all other retail channels, including stores, catalogs and call centers, declined.
This large-scale shift in retail focus has opened new growth opportunities for retailers large and small. But the industry is not the only benefactor of this digital transformation – there are now more openings for hackers to exploit, as well.
As Retail Evolves, Cybercriminals Adapt to the Digital Climate
When brick-and-mortar retail eventually returned from the initial COVID-19 shutdowns, managers were thrust into overseeing a “start-of-life” operational event: PoS solutions and other systems had sat dormant and unpatched for months and risked being compromised.
While physical stores have reopened in large part, most retail analysts predict that things will never go back to the way they were. This COVID-driven shift in consumer buying habits appears to be permanent, and ecommerce sales will likely continue to increase in the coming years.
And that brings us to the cybersecurity component: threat actors are reacting to the new primarily digital retail landscape by rolling out innovative attack methods that aim to compromise online transactions. Analysts warn that there has been significant growth in account takeovers, in which bad actors obtain login credentials, authenticate themselves as legitimate customers, and access their online accounts. Then there are the Magecart or formjacking hacks in which criminals steal credit card information right out of customer shopping carts as they complete transactions.
While suffering a cyberattack like this can be devastating in terms of the financial and brand reputational implications, such attacks often place retailers at risk of violating data protection mandates and laws. The regulatory penalties incurred from being found negligent of having the proper controls in place to protect personal or critical data can add insult to injury, and potentially make recovery even more challenging for the victimized organizations.
Continuous Compliance With PCI DSS 4.0 Can Empower Retail Security Teams to Proactively Defend Their Networks
The Payment Card Industry’s Data Security Standards (PCI DSS) 4.0 draft versions give a clear indication of the direction in which new requirements are moving. The new rules are designed to strengthen security control requirements while also adding some flexibility for retailers to achieve compliance. In order to get a head start on protecting ecommerce systems and prepare for the implementation of PCI DSS 4.0, here are five key areas that retailers can address today:
- Access Management: Retailers should update their access controls to require multi-factor authentication for all accounts that have access to cardholder data. Passwords should be changed every 12 months. Passwords need to be sufficiently complex and should be checked against lists of known bad passwords. In addition, access privileges should be reviewed every six months, and vendors or third-party accounts should be enabled only as needed and monitored when in use.
- Risk Assessment: Companies need to make sure that risk assessments are not just a “checkbox” exercise but a valuable tool that guides and informs decisions relative to security investments and priorities.
- New Technologies: A major change in PCI DSS 4.0 is that it enables retailers to use a customized approach that gives them the flexibility to adopt emerging technologies and new security methods without waiting for the standard to catch up. For example, the new standard allows the use of cloud hosting services.
- Monitoring: The requirements to monitor cardholder data may be updated to reflect new tools available to security teams, such as next-generation network and endpoint detection tools. Retails should aggressively adopt these tools, as well as put processes in place to detect phishing attempts.
- Encryption: The new rules will likely expand credit card encryption requirements to include all transmissions of cardholder data, so retailers should get ahead of this. Also, PCI DSS 4.0 will probably call for a data discovery methodology to locate all sources and locations of cleartext primary account numbers (PANs) at least once every 12 months, or upon significant changes to the cardholder data environment or processes.
To learn more about the increasing data protection risks retailers face as ecommerce blossoms, download our report, The Escalating Data Protection Challenges Facing Ecommerce During COVID-19.
Christopher Strand is the Chief Compliance Officer at IntSights. As CCO, he is responsible for leading the global security risk and compliance business, helping companies bridge the gap between cybersecurity and regulatory cyber-compliance. Chris has more than 20 years of subject matter expertise in information technology and security audit assessment and he specializes in developing enterprise security platforms and markets within hyper-growth organizations. Prior to joining Intsights, Chris launched and led the cyber-compliance business at Carbon Black (acquired by VMWare), and has held leadership and compliance specialist roles at other flagship security companies such as RSA, Trustwave, and Tripwire.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.