Everyday across the globe, consumers are handing over personal information with a swipe of a credit or debit card, and/or by filling out retailer-generated forms. This information is helping retailers better understand and reach customers through their marketing efforts and business analytics. But how exactly are retailers protecting all the data they’re accumulating?
Threats to consumer data in retail
Data protection is critical for retailers, as the industry has been plagued by some of the largest data breaches in history. Some of the most notable high-profile incidents include:
- Target’s data breach in 2013, compromising the data of 110 million customers,
- Home Depot’s data breach in 2014 that involved 56 million credit card numbers, and
- TJX’s data breach in 2007 affecting 45.7 million customers
It’s easy to understand why cybercriminals have retailers in their crosshairs. These businesses possess large quantities of the type of data that can generate revenue for threat actors. On any given day, retail companies collect, process, or store hundreds of thousands or even millions of credit card transactions and personally identifiable information (PII), including dates of birth, addresses, social security numbers, phone numbers and more – all of which are of interest to buyers in underground markets.
Data from a single credit card isn’t necessarily worth much. A random (i.e. unidentified bank and card type) payment card number with CVV2 from the US might only sell for a measly $5. Even a card number with ‘fullz’ (i.e. all associated details, such as full name, billing address, SSN, mother’s maiden name, CVV2, etc.) might only go for $18 – $30. However, a recent study by Trustwave shows that PII is valued at between $834 – $1,820 world-wide, depending on the country of origin.
However, what makes retailers such a hot target for cybercriminals is the potential to steal not only credit card data, but also PII in bulk, which should make for good business, providing enough incentive to launch a cyberattack on that entity. So, retailers have cause for concern not for being a target, but also regarding the consequences, as the ramifications of getting hacked can be rather costly.
According to the 2017 Ponemon Global Cost of Data Breach Study, the 4-year average per capita cost of a data breach in the retail industry is about $149. Essentially meaning retailers need to spend $149 for every record that’s compromised in a data breach. Imagine how much that adds up and businesses have to shell out when losing thousands or millions records in a breach.
The costs associated with a data breach can come from a wide range of necessary services like: legal fees for defense, identity protection services, breach notification and other required disclosures to victims and regulators, investigations and forensics, customer churn, and so on.
That last item, i.e. customer churn, refers to the abnormal loss of customers as a result of the breach, which consequently also translates to loss of business. According to the same data breach study by Ponemon, the abnormal churn rate (caused by a breach) in the retail industry is 2%.
While that may not sound like much, Forrester research reveals that it costs five times more to acquire a new customer than to keep existing ones happy. A Harvard Business Review article further drives home the significance of retaining customers with this important fact: increasing customer retention rates by 5% leads to increased profits of 25% to 95%
Laws and regulations in the retail industry
Although the potential loss of business should be enough motivation for retailers to establish controls for protecting consumer data, that typically isn’t the case. Unless compelled by the government or a regulatory body, companies often treat cyber security as a business inhibitor and not an enabler; symptomatic of the perennial conflict between compliance and security.
Fortunately, there are laws and regulations impacting the industry whose onerous requirements and penalties do manage to steer retailers in the right direction.
PCI DSS
Perhaps the most prominent of these is PCI-DSS or the Payment Card Industry Data Security Standard. Composed of 12 sets of highly prescriptive technical requirements, PCI DSS can provide detailed guidance in setting up controls needed for data protection.
However, retailers must bear in mind that PCI DSS is mainly designed to secure credit card data, but not personal information. If companies are laser focused on only complying with PCI DSS, they’ll be leaving a lot of PII and other sensitive data unprotected.
Besides, PCI only requires retailers to validate their compliance once a year. That leaves several months before and after an audit season wherein employees and other members of the organization could ease up on security, circumvent controls or ignore policies.
State and territorial data breach notification laws
Legislation such as data breach notification laws, which exist in 48 US states, can fill some of the gaps left by PCI. Allow me to elaborate:
Breach notification laws require companies who suffer from a breach involving PII to notify affected individuals as well as certain government offices (usually the Attorney General or certain state agencies) regarding the breach. Now, some of these notification requirements include public disclosures (such as conspicuous postings on the business’ website or announcements at major statewide media) that can indirectly damage the affected company’s reputation.
For this reason, many retailers are willing to implement controls in order to avoid those notification responsibilities. Luckily for them, majority of the states and territories offer safe harbor against notification for encrypted data where the encryption key is not part of the data breach. While the details slightly vary from one state to another, the basic idea is that, if you encrypt your data, you can be absolved from having to carry out breach notification in the event of a data breach, which many retailers are willing to do.
Still, PCI DSS and state breach notification laws might not be enough. Both of them are mainly focused on preserving confidentiality and data integrity but lack provisions for data availability such as load balancing and other high availability functions that are needed in protecting against other common threats such as denial-of-service attacks.
Protecting consumers
The end goal for retailers should not be to comply with a single piece of regulation or legislation. That’s just too myopic and will only leave holes in your overall security program. The end goal is to protect your consumers; more specifically, consumer data.
Because at the end of the day, it’s when retailers are able to truly secure consumer data – not when they achieve compliance – that they can mitigate the risk of data breaches and consequently avoid penalties, lawsuits, post-breach obligations, and customer churn. In addition, once they’ve established a reputation of being security-conscious, they gain the trust and confidence of consumers and build stronger customer loyalty.
But how do they achieve that end goal? Most retailers aren’t tech or cybersecurity-savvy, so they need some kind of framework to follow. Well, for a start, they can implement the controls specified by PCI DSS. PCI DSS is very prescriptive and should be used not only as a guide for securing credit card data, but all PII. However, instead of just striving for PCI compliance only once a year as most organizations do, retailers need to operationalize it and keep up with their compliance programs on an ongoing basis. The results of a risk analysis will enhance how organizations apply certain PCI DSS controls as a baseline for securing and handling all sensitive data.
This way, they can ensure consumer data is protected day in and day out. When performing a business process or carrying out a task, retailers should always be guided by the question, ‘Will this endanger our consumers, or not?’
When operationalizing PCI controls and building a robust, risk-based security program, retailers will be doing a better job of protecting consumer data regardless of type (i.e. credit cards or PII) and greatly reduce the risk of having to do anything even if a breach occurs.