The growing number of data breaches at US retailers is largely down to mandatory breach disclosure laws, according to Tim Holman, president of ISSA-UK and chief executive at security consultancy 2-sec.
“There are a huge number of breaches and payment card-related frauds, but there is no law yet requiring companies to disclose them,” he told the SC Congress in London.
“However, that picture will change if Europe introduces planned mandatory breach notification legislation,” he said.
One of the biggest problems in the retail sector is that too many organisations view the payment card industry data security standard (PCI DSS) as a tick box exercise, said James McKinlay, head of information security and PCI DSS subject matter expert at Atos Worldline UK and Ireland.
“PCI DSS is not used to drive and increase baseline security,” he said.
McKinlay believes the standard is aimed at little more than helping retailers to establish a security baseline, and that merely achieving compliance is no guarantee of security.
“There is so much more retailers could and should be doing beyond the requirements of PCI DSS to reduce the risk of exposing payment card data,” he said.
Retailers should use PCI DSS as a way of raising security awareness across the organisation, improving data handling processes and ensuring technological controls are up to date and working.
more on retail cyber security
- Retail easy pickings for hackers, says Verizon
- UK shoe retailer Office hit by data breach
- Michaels breach: Retailer says up to three million cards affected
- Sears confirms data breach investigation amid retailer data breaches
- Target breach details: Was the retailer PCI DSS compliant?
- Major retail breaches highlight point-of-sale security weaknesses
PCI DSS has come under criticism because US retailer Target and payment processing firm Heartland both experienced breaches while being nominally PCI DSS compliant.
But Holman defended the standard and PCI DSS qualified security assessors (QSAs).
“Many of the PCI DSS control assessments are interview-based, so if retailers are not answering QSA questions truthfully and not following their advice and PCI guidelines, they will not be secure,” he said.
Holman agreed that evidence-based assessments would ensure a higher degree of security, but said that would be too time consuming, especially for larger organisations, and was therefore not practical.
Dave Whitelegg, senior information security and PCI consultant at Capita, said the best way for retailers to reduce their risk of data loss is to avoid holding payment card data as far as possible.
“The best approach is to find ways of outsourcing all payment processes so that no payment card data is held or processed by the retailer.
“Alternatively, if payment card data cannot be avoided, ensure that it is encrypted from end to end so that even if systems are breached, attackers cannot use the data to commit fraud,” he said.
McKinley said retailers in general should also move away from focusing on avoiding breaches alone and pay more attention to how well they can cope in the event of a breach.
“Relatively few retailers are properly prepared for breaches and have up-to-date breach and incident management plans in place,” he said.