There’s a reason why retailers call the final three months of the year the “golden quarter.” As festive shopping ramps up, many will be hoping to generate a large part of their annual revenue in the period between Black Friday and the end of the year. But where there’s money to be made, there’s also likely to be criminal activity: 100% of data breaches over the past year were financially motivated.
Retailers not only have to think about the financial and reputational impact of such breaches. They’re also mandated to abide by a strict set of requirements under the Payment Card Industry Data Security Standard (PCI DSS). This is where a data-centric security approach comes into its own.
PCI DSS 4.0 demands any organization storing, processing and transmitting data to meet a set of 12 requirements, and many more sub-requirements, grouped under six control objectives. These are designed to elevate security posture and minimize the risk of serious breaches. This kind of rigour is absolutely necessary given the current threat landscape.
Retailers are a popular target for attack, given the wealth of personal and financial data they store on customers, and the growing size of their cyber-attack surface, which two-fifths (40%) admit is “spiralling out of control.” The IT environment of a typical retailer might stretch from operational technology in warehouses and distribution centers, to office-based desktops, cloud-based servers and remote workers’ mobile devices. That represents a great deal of complexity for IT to gain visibility and control over.
What’s more, this attack surface is expanding all the time thanks to:
With so many assets and IT systems to aim at, cybercriminals are spoilt for choice. And they have more than enough tactics, techniques and procedures (TTPs) to reach sensitive data; from credential theft to vulnerability exploitation and “living-off-the-land” attacks.
Given the size of the typical attack surface and how well-resourced the average threat actor is, for many retailers it’s not a case of “if” but “when” they’re targeted. This makes PCI DSS compliance essential. As part of these efforts, it’s recommended to focus first on the thing that matters most: the data.
A data-centric security approach requires technology like comforte’s Data Security Platform, which automatically and continuously discovers and classifies data, and then applies strong data protection (eg encryption, tokenization) to it in line with policy. This will ensure that, even if threat actors get hold of card data, it will be rendered useless. This approach can also help to reduce the scope and costs associated with PCI DSS 4.0 compliance, as one world-leading fashion retailer and comforte customer can attest to.
European retailers anticipate a 2-3% annual increase in sales this golden quarter. But to ensure their plans aren’t derailed by data-hungry cybercriminals, they’d be best off putting their faith in data-centric security as a springboard to PCI DSS compliance.