PCI DSS and GDPR Compliance: Cybersecurity Considerations in UK E-commerce

We recently explored how the rapid adoption of e-commerce in the UK makes it a world leader in online shopping and a target for cyberthreats. Retailers are a major target for cybercriminals not only because they often store large volumes of personal and financial data, but also because the speed of adoption requires UK e-commerce providers to move quickly toward digital transformation.

According to insurer Hiscox, 55 percent of UK businesses surveyed say they experienced an attack in 2019, up from 40% a year ago. A report by VMWare Carbon Black revealed an astounding 88% of UK firms suffered a breach in the last 12 months, with 87% of respondents saying the volume and severity of cyberattacks have increased year over year. And according to researcher Sophos, 48% of UK respondents have fallen victim to ransomware in the last year.

Unfortunately for retailers, cybercriminals are no longer simply targeting data stored in a company’s system. Through attacks such as Magecart, hackers are capturing payment details as they are entered into an online payment form. Retailers must have sophisticated methods for monitoring traffic on their payment sites, such as file integrity monitoring software, to help defend against this type of attack.

What’s more, UK businesses have seen a dramatic increase in online sales since the beginning of the global pandemic in March. Retail sales grew from 18.9% of total retail sales in February 2019 to 32.8% in May, increasing the vulnerability of websites and payment systems.

In addition to keeping up with rapid adoption and surging online sales, organisations must adhere to regulations designed to protect consumer privacy. Financial services organisations or any vendor accepting payments must adhere to PCI DSS compliance that requires building and maintaining secure networks, protecting cardholder data and maintaining a vulnerability management plan. Each organisation must implement strong access controls, regularly monitor and test networks and maintain information security policies.

Beyond PCI DSS compliance, online retailers must also contend with the General Data Protection Regulation or GDPR. Any organisation that processes data including collecting, recording, storing, disclosing or selling data must have controls in place or receive substantial fines. Failure to adhere to either compliance standard can lead to disaster. Organisations that navigate data management and compliance controls will stand to succeed in this complex environment.

To protect themselves and their customers, online retailers and connected businesses must elevate their security posture in an environment of rapid adoption and complex interconnectivity. Retailers, payment processors, shipping agents and distributors are all links in a chain of remote retail that can be vulnerable to cyberthreats. Anyone engaging in e-commerce would be wise to monitor websites and email systems for breaches or malware, monitor systems for unusual network activity, educate employees about phishing schemes and ensure they have a response plan for when a breach may occur.

For retailers to transform at the speed required, DevOps practitioners must be able to drive secure code development and deployment with as little friction as possible. Engineers need speed and ease of deployment for retail workloads such as payment platforms, inventory control and customer relationship management. Ultimately, teams should secure left in their software development lifecycles and automate security and compliance controls to keep up with changing market needs.

Join us for our next post in this series where we talk about the Armor cloud security platform and our audit-ready and continuous compliance solutions.

Considering enhancements to your existing security posture? Find out how Armor Anywhere delivers threat detection and response as well as compliance for your applications and data in public, private or hybrid cloud environments.


Learn more about GDPR.

Learn more about PCI DSS.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals