Retail IT Checklist: Is your data safe and in compliance?
The holiday shopping season is an exciting and busy time for retailers and consumers alike. But cyber criminals targeting sensitive data has become an issue of greater concern in recent years. In late 2013, a security breach left over 40 million Target customers vulnerable to this new breed of cyber attacks.
“Thieves will continue to strike at massive retailers and credit card processors to make a quick sale of the data on underground forums,” said security analyst Graham Cluley to news analysis website CRN.
Turnover of customers, loss of reputation, diminished goodwill, and increased customer acquisition activities are just a few of the consequences of a significant breach of your data security.
The retail industry’s 35 percent probability of data breach occurrence ranks the highest across all industries as the riskiest for business transactions according to a 2014 study by The Ponemon Institute. In order to maintain a trusted and ongoing relationship with consumers, your information systems must be secure for safe transactions.
Government compliance laws do their best to ensure security, but this should merely be viewed as a starting point. To strengthen your defense against security breaches, we’ve put together a checklist of the latest government and industry standards.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard, also known as PCI DSS, is the industry baseline in data security for retailers that use debit or credit cards for transactions. Since retailers are required by credit card providers and banks to store card data on their systems for proof of transactions, the twelve requirements for PCI DSS compliance are centered on protecting stored cardholder data:
- Protect cardholder data by installing and maintaining a firewall configuration.
- Never use vendor-supplied defaults for system passwords and other security parameters.
- Provide protection for stored cardholder data.
- Encrypt transmissions of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- All access to network resources and cardholder data must be tracked and monitored.
- Regularly test processes and security systems.
- Maintain a policy that addresses information security for all personnel.
For a detailed explanation of each of these points, visit their website at pcisecuritystandards.org.
Offsite Data Backups
Insurance Journal recently reported that there were 296 separate natural disasters in 2013, which accounted for $192 billion in economic losses. It’s extremely important to have your data backed up by an offsite provider. In the event of a fire, flood, or some other catastrophe, having a copy of your data in another physical location will prevent total data loss. Data is can be transported off-site using removable storage media, and there are also a variety of cloud-based solutions for remote data backup.
“Ensure that all points of your network — at all the different locations — are protected by good-quality security software, control the use of USB sticks, and deploy Web security filtering to keep employees safe when they’re online,” advises security analyst Graham Cluley. “There are more ways to lose data than via an electronic breach. Misplaced or stolen computers, CDs and USB drives can all be sources of information for criminals.”
Mr. Cluley also recommends that sensitive payment information be properly segmented from the rest of the network, strongly encrypted, and never stored. While most credit card companies and banks require retailers to provide evidence of transactions, IT security analysts advise companies to only retain the minimum amount of data to prove a transaction took place.
Be Proactive Rather than Reactive
Whether the result of negligence or malicious criminal activity, data breaches are a serious and costly issue for businesses today. The most popular measures and controls implemented after the data breach are: expanded use of encryption, additional training and awareness activities, manual control practices, and use of security certification or audits.
Of course, it’s far better to take steps to prevent security breaches altogether. Following these recommendations will help keep your data secure and out of the hands of cyber criminals.