Protection for Retail

The retail industry is constantly evolving as its customers are increasingly expecting ease of purchase and a more convenient experience to link their in-store and online activity. Information Security risks such as security breaches are now a major concern in the retail industry as repeated cyber-attacks reduce consumer confidence in their brands.

Cyber Threats in the Retail Industry

One of the first major retail breaches to hit the headlines was probably Target in late 2013 as they were subject to a data hack at its US stores. Over 40 million customers were exposed to fraudulent activity as malware was introduced to the POS system in around 1,800 stores. A month later, Target went on to admit that a further 70 million customers had their personal information stolen in the same attack.

The 2013 Target breach was linked to a third party contractor having access to the Target network and concerns were raised as to whether Target were in compliance with PCI-DSS at the time of the breach. Although 2013 may seem a long time ago, the risk of vendor or partner access to IT systems have never been more crucial.

The misuse of privilege in the hybrid-cloud world has become one of the most critical security challenges, because uncontrolled access to Privileged Accounts opens a “barn door” through which untrusted 3rd parties can compromise data and inflict cyber-attacks, ultimately causing irreparable damage to the business and its corporate reputation.

Payment Card Industry Data Security Standard (PCI DSS)

A security priority in retail is payment handling, so PCI DSS (Payment Card Industry Data Security Standard) is mandatory. It's a worldwide standard that was set up to help businesses process card payments securely and reduce card fraud. The way it does this is through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.

Privileged account abuse presents one of today’s most critical security challenges. Uncontrolled access by insiders or even contractors to these accounts leaves an organisation vulnerable to data leaks and cyber-attacks – ultimately causing irreparable damage to both the business and its’ reputation.

PCI DSS breakdown

The PCI DSS defines 12 requirements in 6 categories. Privileged Access Security addresses many of the requirements:

Build and Maintain a Secure Network

• Requirement 1. Install and maintain a firewall configuration to protect data.
• Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

• Requirement 3. Protect stored data (use encryption).
• Requirement 4. Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

• Requirement 5. Use and regularly update anti-virus software.
• Requirement 6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

• Requirement 7. Restrict access to data by business need-to-know.
• Requirement 8. Assign a unique ID to each person with computer access.
• Requirement 9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

• Requirement 10. Track and monitor all access to network resources and cardholder data.
• Requirement 11. Regularly test security systems and processes.

Maintain an Information Security Policy

• Requirement 12. Maintain a policy that addresses Information Security.

‍

‍