Why Preventing Retail Breaches Requires a Team Effort

2014 is very much shaping up as the Year of the Retail Breach - nary a week goes by in which we don't hear of a new merchant that has been hit - but that shouldn't come as a surprise to anyone. Consider this: If Bonnie and Clyde were around today, they'd find hacking merchants to be easier and more lucrative than knocking over banks.

Indeed, retailers worldwide are awash in credit card numbers, which they accept via in-store purchases and on e-commerce websites. Despite growing awareness to the problem and prescriptive requirements promulgated through the Payment Card Industry Data Security Standard (PCI DSS), attackers continue to skillfully fine-tune their techniques to pull off massive data heists. As the 2014 Trustwave Global Security Report discovered, retail was the top industry breached last year - making up 35 percent of the attacks we investigated. Meanwhile, e-commerce comprised 54 percent of assets targeted in all of the data-loss incidents we examined.

According to recent analyst research, it also appears that retailers are not allotting enough money to deal with the problem. And others, it seems, are failing to recognize the risks at all.

A common misperception held by some is that this rampant run of merchant breaches can only be halted through the widespread introduction of fraud prevention mechanisms, such as chip-and-PIN. But that's not the case. These methods may reduce the likelihood of an attacker being able to use stolen information, but it will not prevent an attack.

Rest assured, however, that there are steps retailers can take to make them a less attractive target and push back the saboteurs. But to achieve this, a team effort from across the organization is required.

Here are three groups that must be involved:


IT managers/CISOs:

Malware must remain a top-of-mind concern for retail IT departments. We've told you about sneaky point-of-sale malware families such as Backoff, which comes equipped with advanced RAM scraping capabilities and can enter through third-parties to cause devastating breaches. For those organizations that simply lack the time, budget and resources to handle the situation themselves, they should consider offloading the responsibility to a managed security services provider.


Application/database managers:

Vulnerable applications, such as payment or e-commerce apps, are a common vector through which attackers establish an initial foothold in a retailer environment. The databases that support those applications must also be protected because they often contain the prized assets that hackers are after. Services such as vulnerability scanning and penetration testing, combined with web application firewalls, are critical.


Senior executives/CEOs:

Arguably the most well-known compliance mandate in existence is the PCI DSS. Merchants will need to validate compliance with version 3.0 beginning Jan. 1, and there are some big changes afoot, including new pen testing requirements and additional burdens on e-commerce merchants that redirect payments to third-parties. Failing to comply with the guidelines is a board-level issue because it can result in big fines, reputation damage, lost customers and potentially the stripping of the ability to process credit cards. Compliance with PCI DSS can never guarantee security, but it goes a long way to establishing a security baseline and reducing risk.



Dan Kaplan is manager of online content at Trustwave.







Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.