Cybersecurity Insights | Blog | Foregenix

Retailers - how secure is your data?

Written by Benjamin Hosack | 12/12/14 10:31 PM

Is your retail business next?

Retailers have good reason to be concerned that their business systems are becoming the focus of cyber criminal community efforts. After all, Target, Neiman Marcus, Michaels, PF Changs, Bebe and many other high profile businesses have recently had well publicised data compromises, resulting in huge volumes of customer data being stolen. 

Foregenix is a forensic and data security specialist - we encounter businesses on a daily basis that have had their customer data stolen

You may be thinking, “Those businesses are all in the US and we’re in the UK, so we aren’t at risk…” If so, you’re missing very clear warning signals. Increasingly the attacking trend is to compromise the perimeter defences, identify the assets (cardholder data in the payments industry), deploy custom-written malware to harvest the data and get rich quick by selling the proceeds. It sounds easy doesn’t it? That’s because it is!  And it is happening in the UK and Europe - you just don't know about because we don't have the same disclosure laws here in Europe (that's going to change).

Retailers are just the tip of the iceberg and certainly not the only type of organisation targeted. Payment service providers, acquiring banks and issuing banks all fall victim to compromises too, often through exceedingly clever means, with increasingly complex and targeted malware – the kind that your anti-virus and anti-malware solutions do not detect.

However, let’s focus on the retailer for the time being. Having been involved in the Payment Card Industry since 2004, Foregenix, has seen and worked with numerous high street retailers through the years. Retailers face a greater challenge than most organisations in that they have a number of significant issues to overcome. Some of the well-known challenges are:

  • Flat networks built for availability not security. This means that any connected system on a flat network is a potential point of attack. All the attackers need is one vulnerable system to gain a foothold in the retail environment.
  • Legacy systems. A lot of retailers rely on outdated systems to keep their businesses moving. Securing these older systems is a challenge and usually results in implementing additional layers of security (compensating controls) and means complexity and more to manage!
  • Technology. Following the challenges that our economy has been through over the past few years, businesses have been reluctant to invest in new technology unless absolutely necessary. The result is that many retailers have not invested in the technology required to run an effective, PCI compliant, security operation.
  • In-house skills. Most organisations that we come into contact with usually have a very light IT team with little experience. Unfortunately a business operating with no security skills on board (and no external partner to help) is a sitting duck and should expect a data compromise at some point.

Retailers facing the above challenges have a growing problem on their hands. With the targeted attacks we're seeing, organisations with the above challenges stand no chance against a technically astute criminal. They need to take action to prevent their businesses from being looted and the associated effects of a data compromise.

Fortunately, within the Payment Card Industry, there have been numerous innovations to ease the challenge for retailers. The most recent being the advent of PCI P2PE validated solutions – effectively solutions that encrypt the cardholder data at the Point of Interaction and decrypts within the service provider secure environment. For retailers looking for ways to protect their customer cardholder data, a PCI P2PE validated solution can immediately provide a huge risk reduction as well as significantly simplifying the PCI DSS compliance overhead for the card present environment.

(Foregenix has currently assessedand validated over 80% of the PCI P2PE compliant solutions and applications globally - we're firm believers in the technology!)

Another benefit that rarely gets discussed is the fact that by utilising a PCI P2PE validated solution, a retailer can get on with focusing on their core capabilities – selling their goods – with the knowledge that their payment systems are secure and managed by a trusted, validated partner.

As a specialist forensic and information security business, we would strongly urge retailers to take a close look at the PCI validated P2PE solutions available. There are certainly pros and cons to each of them, but we feel that from a security and business development perspective, a PCI validated P2PE solution has considerably more pros to it than cons.

PCI P2PE Help

To find out more about PCI P2PE and how it could help your business, please get in touch.