As more consumers turn to digital channels to shop for goods, brands and retailers are adopting digital technologies to facilitate engaging customer experiences. From personalization and frictionless checkouts to loyalty programs and self-service returns, companies are digitally transforming their business to meet the demanding expectations of online shoppers.
However, the growing dependence on technology to facilitate customer experiences leads to higher cybersecurity risk. Many companies have invested in traditional security controls such as perimeter security and data loss prevention solutions, but they’re not always sufficient to secure data. Companies need to consider two essential aspects when evaluating their cybersecurity: data security and consumer privacy or personal identifiable information (PII).
Infosys created a cybersecurity solutions guide to help brands and retailers create a safer customer journey across online and brick-and-mortar stores. Download the complete guide or read the summary below.
The Cost of a Data Breach
It only takes one security breach to lose the loyalty of life-long customers—20% of big box retail customers would cancel their accounts if they are victims of a data hack. In addition to losing customers, companies also risk paying massive fines if they have a data breach. According to the General Data Protection Regulation (GDPR), if a data breach involves EU citizens, the company must pay up to 20 million euros or 4% of the global turnover, whichever is higher.
In 2019, 55% of retailers hadn’t made CAPEX in cybersecurity.
Traditional Data Security Methods in the Retail Sector
These traditional methods of data security will protect data hosted in data centers or self-managed facilities.
- Perimeter Security Controls: Firewalls, intrusion prevention system (IPS), antivirus, identity & access management solutions, and jump server for remote administration.
- Applications Security: Automatic patch management, host antivirus, IPS, and applications’ OS hardening.
- Security Services: External & internal penetration testing and frequent vulnerability assessments.
- Physical Security: If a brand or retailer has brick-and-mortar locations, they’ll need security for their cash registers and point-of-sale (POS) systems.
Advanced Data Security Methods in the Retail Sector
Brands and retailers can implement advanced security methods over traditional ones to offer further protection.
- Network Controls: Data loss prevention solution, advanced persistent threat (APT), and distributed denial of service (DDOS) protection.
- Application Security: File integrity monitoring, privilege identity management (PIM), privilege access management (PAM), hypervision security, and workloads visibility.
- Security Services: 24/7 security events monitoring, static applications security testing (SAST) & dynamic applications security testing (DAST) when apps have new updates, and periodic applications scanning.
- Insiders Threat Protection: URL filtering, secured domain name system (DNS), endpoint data loss prevention (DLP), endpoint antivirus, user & entity behavior analytics (UEBA), and web 2.0 applications control solution.
- DevOps Security: Additional security controls like virtual private network (VPN), secure sockets layer (SSL) proxy, or reverse proxy for the development team’s applications.
Data Security for Retailers Using a Cloud Service Provider
Cloud security measures are necessary for any retail and ecommerce business that hosts its infrastructure with a cloud service provider or integrates data with a cloud service provider. Infosys recommends that all retail cybersecurity teams thoroughly examine the shared responsibility matrix published by their cloud service providers, such as AWS or Salesforce. They’ll need to assess the risk associated with customer data based on the cloud service provider’s security services.
Security Methods for PII
All brands and retailers that handle credit and debit cards are expected to comply with Payment Card Industry Data Security Standard (PCI DSS). Companies that conduct business with EU citizens also need to comply with GDPR.
What is PCI Compliance?
Regulators designed PCI DSS standards to ensure merchants securely process customer information during transactions. To be compliant, the company must complete a PCI DSS Self-Assessment Questionnaire (SAQ)—a series of yes or no questions. The type of test the company takes depends on how they integrate their payment gateway and handle cardholder data.
Companies need to perform the SAQ every 12 months to maintain PCI compliance. However, the simplest way to comply with PCI DSS is by never seeing, saving, or having access to cardholder data. Many of our clients leverage a third-party payment gateway, like Stripe or Braintree, which will protect the customers’ data without the wide requirements of PCI. Most modern digital commerce platforms are PCI compatible, which means they support payment platforms that are PCI compliant.
What is GDPR Compliance?
GDPR has 99 articles, but retailers need to focus on articles 5-9, 11, and 32. These articles cover how companies ask for consent and process data. It’s critical to implement all of the traditional, advanced, and cloud security methods to achieve GDPR compliance. Additionally, companies must also launch solutions for:
- Static data masking
- Dynamic data masking
- Encryption of data in motion and at rest
- Column level encryption for the database administrators
- Data breach detection
- Deception technologies
After several brands came to Blue Acorn iCi to resolve significant security breaches, we invested resources to solidify processes that impact cardholder data security and make PCI compliance easier for our clients. As a PCI certified agency, we manage the payment processing function, check for fraud, and fulfill PCI requirements. If you’re interested in learning more about our Payments & Security services, contact us today.