It's hacker season: Five things retailers need to know

Stephen Orfei

By Stephen W. Orfei, General Manager, PCI Security Standards Council

Holiday shopping is in full swing and retailers aren't the only ones hoping to cash in. Cyber thieves are hacking for a cut of your profits, and no business–from the local mom and pop store to a Fortune 100 retailer–is immune to attack.

So what's your plan for payment security? The Council urges you to use a strong, layered defense. But it doesn't stop there. Retailers must go on offense against hackers by building a culture of vigilance. Here are five tips:

Don't forget basicsMalware and other agents can exploit payment systems when basic controls lapse, such as using weak passwords, not patching systems, and poorly managing access. Replace default passwords with secure passwords and keep anti-virus software signatures current.

Continuous monitoring: Limiting damage from a breach depends on your ability to detect and react to an intrusion in real time. System logs should be reviewed every day. Follow up on suspicious activity immediately.

Prioritize technology: Making data worthless to criminals is the end game. And we have the technology available today to do this. Take advantage of the security benefits offered by EMV chip technology, and while you're at it, upgrade your point-of-sale (POS) terminals and devices using a 3.1 version or higher from the Council's certified device listing. This will give your business the best protection and the most payment acceptance options, including contact, contactless and mobile wallets. Talk with your POS device vendors and IT partners to understand your options for rendering stored cardholder data worthless by adding point-to-point encryption and tokenization. This tactic will protect customer data even if a criminal manages to breach other controls.

Choose trusted partners: Security is only as good as your weakest link. You can't outsource responsibility for a breach so make sure third party security is as high a priority as your internal controls. Review the Council's guidance on working with third parties to verify options.

Think security, not compliance: Remember that compliance is just a point-in-time measurement. Prioritize your efforts to reduce risk and increase security, everyday, year-round–not just at assessment time or during the holiday shopping season. Help instill this awareness and mindset with all of your employees, not just your IT department. Check out our tips on making payment security business as usual and  building a security awareness program

Follow this advice for stronger payment security and help your organization have happy and safe holidays.

As General Manager Mr. Orfei leads the PCI Security Standards Council in its mission to increase payment data security globally through development and delivery of standards, solutions and services for merchants, banks and other key stakeholders involved in the global payment card transaction process. Holder of several payments industry patents and awards, Orfei's career spans senior posts at an international telecommunications corporation, security assessment companies, a global payment card brand and military service.