By Park Foreman, Principal Security Architect at GTT Communications
As retailers from across the country recently attended this year's National Retail Federation’s BIG Show, many of them are thinking about network security. More than 61 million records were stolen from retailers in 2014. Additionally, during the biggest shopping days of the year, November 24 – early December, the retail and wholesale industry emerged as the top industry target for attackers. In order to mitigate the risk of a breach, retailers must meet the most up-to-date standards for network security, especially when it comes to their customers’ data.
By the end of June 2016, retailers must be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS) 3.1. While some retailers may still be struggling to reach full compliance with version 3.0, it’s important to note that the jump from 3.0 to 3.1 is much less demanding than that from 2.0 to 3.0. That said, 3.1 is still a critical turning point in a retailer’s security program as it transforms the way companies conduct business, taking security from simply an add-on service to a business-as-usual state.
One of the most notable differences of the 3.1 standard is the adoption of new, stricter auditing processes. Under the new standard, PCI auditors receive retraining and clarification requiring that they ask for evidence, such as logs and reports, from specific days since the last audit took place. With the new auditing standards, oversights of PCI sub-requirements are more likely to be noticed. While it can be costly and time consuming to fully meet each sub-requirement, the cost of not fulfilling these requirements may be even more detrimental to a business, heavily impacting its bottom line.
Many CIOs and IT professionals view a data breach as something that is addressed with a reactive, versus proactive, approach. While it may be tempting to plan to pay for the cost of a data breach after it happens, retailers may be underestimating the impact a breach will have on their business. According to recent data, 18 consumers become victims of cybercrime each second, and 43% of companies have experienced a data breach in the past year, an increase of 10% over the previous year. The estimated cost to a business for each compromised record is $201, and the average cost of a data breach to a company overall is a staggering $5.9 million.
Along with the financial risk of security oversights is the threat of lost time. It takes an average of 80 days to detect a security breach and an average of 123 days to resolve the breach. While sealing gaps in security can seem daunting, it may end up saving time in the long run, assuming retailers choose a solution provider that can reduce the time and effort spent on payment security.
Additionally, the cost to a company’s reputation after a data breach cannot be overlooked. As security incidents occur with increasing frequency, consumers are becoming more and more protective of their credit card data. A breach can devastate a business from a customer loyalty perspective and leave it out of business in as little as a year.
Many retailers find themselves lacking the time, money, expertise and other resources necessary to become fully compliant and secure. To address this, companies are turning to third-party solution providers. While this can be a valuable strategy for meeting PCI compliance goals, not all service providers are created equal. Key attributes retailers should focus on when choosing a service provider include:
A holistic solution
There are many risks surrounding information security, and there are more than 100 requirements and sub-requirements to meet PCI DSS 3.1. Purchasing a software package can be a great first step toward diminishing risk, but this tool alone is not sufficient. The software must be paired with personnel, policy, procedures, auditing, training and more, to ensure that it is comprehensive enough to fully address compliance requirements. Retailers should seek out a third-party provider whose service encompasses all of these elements and offers a holistic, complete approach to security.
Managing multiple vendors can be inefficient and expensive. If possible, retailers should select one single-solution provider to meet their security and compliance needs, saving time, effort and costs.
Assuming the risk
Beginning with PCI DSS 3.0, retailers became 100% responsible for their compliance. That aspect will not change with the 3.1 standard. When outsourcing to a third party, an organization effectively transfers responsibility of some part of PCI compliance. Retailers must ensure that roles and responsibilities are outlined in a written and signed contractual agreement, including the specific PCI sub-requirements that will be met by each party.
Familiarity with PCI requirements and updates
Retailers should ensure that their service provider knows and understands the ins and outs of PCI DSS, especially the latest update. It can be overwhelming to be faced with the long list of PCI sub-requirements. With the updated auditing standards, it is best not to leave anything to chance. The service provider’s solution should be tailored to meet even the most challenging PCI compliance requirements.
At first, PCI compliance may feel like an undue burden from a time and cost perspective. However, by choosing the right service provider and putting the right PCI compliance plan in place, retailers can benefit from the peace of mind that they get from having taken a crucial step in protecting their business and their customers.
Park Foreman is Principal Security Architect at GTT Communications. GTT is a leader in delivering cloud networking services to global multinational corporations and offers one of the most comprehensive PCI solutions in the industry today. Find out where your security stands with a limited-time free network evaluation, conducted by GTT’s team of security experts, or email us to learn more about how we can help you meet your PCI compliance goals.