Information Security Trends: Retail Industry

By David Fosdick ·

Q&A with David Fosdick, director of Strategic Services-East Region, FishNet Security

Question 1:  What security trends or changes, if any, are you seeing in the retail industry?

As it has been the last several years, security in retail is primarily driven by the need to be PCI compliant. Secondary security drivers are privacy programs – making sure to protect customer PII (personally identifiable information), and ensuring compliance with state and federal privacy laws. Yet PCI compliance remains No. 1. All these regulations require retailers to protect all customer-identifiable information, in addition to credit card numbers.

Question 2:  What are the top-of-mind concerns of customers?

One of top questions asked by retailers is, “How do we attract new customers and retain our existing customers?” In many cases the answer to this question involves the adoption of a new technology to expand the exposure of merchandise to prospects and to increase the convenience for these prospects to shop. Generally this is done to improve the consumer experience. Any of these new technologies, when adopted, affects the security postures of retailers. In-store web browsing, mobile payments and cloud-based services are a few technologies that can affect security.

There were days when retailers didn’t put wireless networks in stores – it was considered too big a security risk for the retailer. Now many stores make guest wireless networks available so customers can use their handheld devices to get more information about the products on the shelves. These networks are open and not secured by wireless encryption, making them accessible to everyone. That’s where there’s a security risk, since not everyone has good intentions. So, FishNet Security works with retailers on network segmentation, making sure they have the proper firewalls between the guest networks and their point-of-sale and other networks, and that they have made provisions for wireless intrusion detection.

Also top of mind for retailers is, “How do I reduce my compliance burden?” They can spend a lot of time and money with third parties to get validated and on implementing all of the controls, so retailers are always searching for ways to reduce that cost. There are new technologies being released that remove some of the cardholder data environment from scope, so merchants are adopting those technologies to reduce their compliance burdens. Tokenization and point-to-point encryption are two examples of these technologies.

Question 3:  What are some solutions that are used by clients to address security issues in the retail industry?

There is no single solution that addresses every retail industry security concern.  To maximize the protection of customer data and improve compliance, I would recommend starting with a strategic plan that includes PCI Compliance validation assessments, review of thier software development lifecycle, training, application penetration testing, and breach remediation strategies.

Question 4:  What advice are you providing to clients to address their concerns?

We start by asking them what they’re primary business problems are. A lot of my interactions are with smaller merchants that are growing larger. They want to know how to reduce the scope of their cardholder processing to decrease their compliance burden, so the discussions are typically on scope reduction through business process change or the adoption of a new technology.

Question 5:  What might retail clients be overlooking in their industry in terms of information security?

Most of them know what they need, but there might be cases where they are overlooking other areas of vulnerability. The PCI Data Security Standard only focuses on credit card data, so following the PCI DSS as your only security mandate might cause a business to overlook other important business information and not protect it properly. For instance, a company might have their credit card system locked down but may not be sufficiently protecting the systems that contain their intellectual property.

Question 6:  Is your team doing anything different now than they were doing last year to address security concerns in this area?

There are ongoing changes within the PCI compliance space. The PCI Security Standards Council is working on updating the standards and has released some new training programs and created new roles in how assessments are performed. We are staying engaged with the PCI Security Standards Council and special interest groups that are forging these new requirements. If a new program is business appropriate for FishNet Security, we participate so we are able to provide additional value to our customers.