From the seasonal rush to a new version of the Payment Card Industry Data Security Standard, retailers and business-to-business sellers are poised to experience a rough holiday season in regard to security and payment processing. The fact of the matter is that consumers are using a variety of methods to purchase goods and services, and having adequate security could be the only separating factor between being the latest headline and witnessing revenues increase as products fly off the shelves and out of warehouses. So, what should retailers be ready to expect this holiday season? Let’s take a look at purchasing habits, past data breaches and new solutions to data loss in order to shed light on the optimal strategy for the this time of year.
The biggest change in 2014 compared to 2013 is that mobile purchasing habits are becoming much more common, setting retailers up for improved bottom lines as well as opening the door to cybercriminals. According to a recent IBM Digital Analytics Benchmark study, the Monday after Thanksgiving remained the busiest day for online shopping in relation to the whole holiday season. This is great for retailers, as shoppers add an extra day onto their already purchasing-filled weekend, allowing them to buy goods online and capitalize on deals. However, more customers means that there will be more credit and debit card data floating around on ecommerce businesses’ IT environments.
“The proliferation of mobile device purchasing is what companies should be worried about.”
Of course, collecting consumers’ information is a critical part of the retail process regardless of being customers being in store or online, but the proliferation of mobile device purchasing is what companies should be worried about. Compared to past years, IBM discovered that mobile traffic increased 30.1 percent, now encompassing 41.2 percent of all online traffic on Cyber Monday. The problem is that mobile devices are often connected to insecure wireless hotspots, which can directly lead to intrusion attempts. While not a direct threat to corporate networks, infected smartphones and tablets can be used against unprepared retailers and organizations.
An cybercriminal army of mobile devices?
Digital Trends recently reported on the emergence of the latest mobile malware threat, NotCompatible.C, stating that secure enterprise networks can be infiltrated by means on mobile devices. Once Android-based smartphones and tablets are infected, they essentially become rentable botnets through complex server architecture, peer-to-peer communications and encryption. The botnets can bypass security systems by discussing themselves, posing as innocent consumers.
While NotCompatible.C seems like a formidable foe for retailers, is hacking always the cause of a breach? According to ID Theft Center’s research, hacking is the No. 1 method that cybercriminals use to breach corporate systems, representing 25 percent of the recorded data breaches in 2013. Insider theft and employee errors are still prevalent, however, accounting for 11.7 percent and 9.3 percent of intrusions respectively. Retailers and other businesses that rely on transactions as a source of income should focus their sights on preventing external threats from accessing consumers’ information.
Time to address security
The warnings need to be heeded during the holiday season more so than any other time during the year. On the company’s blog, Cardinal Commerce reported that 70 percent of annual transactions take place during the fourth quarter of the year. So, now is the best time to buckle down on security and implement new solutions that will prevent data breaches. The good news is that there is an incentive to update any current preventative measures.
Crain’s Chicago Business reported that the third version of PCI DSS will become the new standard on Jan. 1, 2015. Any company that accepts credit cards needs to adhere to these new policies and procedures. Jerry Irvine, chief information officer of IT provider Prescient Solutions, explained to the source what this means for merchants, stating that liability rules are changing drastically.
“As a small merchant, if I go to a third-party payment processor, I don’t transfer the risk of a data loss to that courier,” Irvine told Crain’s Chicago Business. “It’s still my duty to do my due diligence to make sure they have the correct security measures in place.”
According to the source, PCI DSS 3.0 is now about securing the data itself with password protocols and firewalls, instead of in the past when it focused on perimeter firewalls, which are intended to prevent external threats. The old version of PCI DSS required retailers to address around 30 points, and now businesses much cover 130 security guidelines.
The key to making it through this holiday season will be implementing these new standards as soon as possible. After all, cybercriminals are not waiting around for PCI DSS 3.0, they are going to target existing vulnerabilities during the busiest season of the year before the new rules are made official. Business2Community said it best when reporting, “Recovering from a data breach is like recovering from a skunk attack. No matter where or when you go in the house the stink still clings.”
Business should act now and implement new secure payment solutions before they experience a data breach.
Can you afford to NOT enhance cyber security this holiday season?