Whether a retailer has directly experienced a data breach or watched the fallout from afar, chains industrywide still get chills when they hear details about the latest data theft. While retailers struggle to stay one step ahead of the hackers, there is hope. And this comes from constant internal testing.
I think it is fair to say that a majority of retailers have made it a priority to encrypt data and comply with PCI DSS (Payment Card Industry Data Security Standard). But it is not as if retailers had a choice.
The four major credit-card companies imposed the standard to protect cardholders against the misuse of their personal information. Retailers that weren’t validated by the late 2007 deadlines were subject to steep fines that, in some cases, reached $25,000.
While achieving PCI compliance is clearly important, the steps that retailers need to take to achieve data security run much deeper.
Here is the big picture: The PCI standard is just that—a standard. It is not a security measure. Just look at the fallout from the recent breach at Forever 21.
Forever 21 announced in September that its systems were illegally hacked sporadically in 2004 and 2007. Approximately 98,930 credit- and debit-card numbers were compromised.
On the upside, more than half of the lifted card numbers were no longer active. Hackers were after credit- and debit-card numbers and expiration dates, not customer names and addresses.
The retailer claimed it had been in compliance with PCI DSS since 2007 (a point that continues to be debated in the media), but that didn’t stop the chain from adding additional proactive security measures and regularly monitoring systems for intrusions after realizing the breach. It’s too bad they didn’t do more stringent testing sooner.
Cyber-thieves continue to target consumers’ personal data, and they are still using the same methods of retrieval: e-commerce sites, point-of-sale devices, gas pumps and ATMs. Consultants and freelancers, the masterminds behind inside jobs, simply use fake credentials to gain network access.
In Forever 21’s case, the hackers reportedly gained entry through a weakness in the data