Spotlight On Retail: Information Security And Data Privacy
Table Of Contents:
- 1) The Cyber Threats Facing the Retail Sector
- 2) What Are the Critical Information Security Standards & Regulations in Retail
- 3) The Consequences of Poor Information and Data Security Practices in Retail
- 4) A Standards-Based Approach to Retail Cybersecurity
- 5) PCI-DSS and ISO 27001:2022
- 6) Take A Secure Stance Against Retail Cybersecurity Threats
According to the Office for National Statistics, in November 2023, 30% of all retail sales in Great Britain were made online. Meanwhile, a report from security business Sophos found that two out of three companies in the retail sector reported ransomware attacks in 2022. With so many consumers shopping online, customer data is a tempting prize for hackers who can profit from selling or misusing that data.
In addition to mounting cyber threats, retailers must comply with multiple cybersecurity regulations. These regulations and the risk of attacks from threat actors mean that retail cybersecurity should be at the forefront of brands’ minds.
How can you meet retail cybersecurity best practices in the face of technological advances, stringent regulations, and cyber threats?
The Cyber Threats Facing the Retail Sector
The first step in ensuring information security resilience is to understand the cybersecurity challenges your business could face. Retail cybersecurity has a range of threats, encompassing everything from intentional cyberattacks to accidental security lapses.
Phishing
In a phishing attempt, cybercriminals pose as trusted individuals or companies to convince the victim to reveal personal information, such as passwords, which can then be used to access accounts and sensitive customer data. A report by Zscaler ThreatLabz found that the retail industry saw a 436% increase in phishing attacks from 2020 to 2021.
Point-of-Sale Attacks
In point-of-sale (POS) attacks, attackers exploit weak network security by installing malicious malware on systems used to conduct financial transactions. Using this malware, cybercriminals can easily steal customer payment data, including credit card data, from checkout systems.
Ransomware
Ransomware is malware designed to prevent an organisation from accessing its systems by encrypting its data and demanding a ransom.
Sophos’s State of Ransomware in Retail 2023 report found that 69% of retail organisations faced ransomware attacks in 2023, a decrease from 77% in 2022. However, 71% of those organisations stated that attackers had successfully encrypted their data, and only one in four (26%) of retailers stopped attacks before their data was encrypted.
Supply Chain Attacks
Supply chain attacks target retailers by focusing on vulnerabilities in their supply chains, usually through vendors with weak security who have access to retailers’ software or systems. Using these third parties, cybercriminals infiltrate the target retailer’s system or network to access sensitive data.
What Are the Critical Information Security Standards & Regulations in Retail
Once you understand the risks retail organisations face, the next step is to wade through the plethora of standards and regulations your organisation needs to be aware of and comply with. Depending on where you operate and what customers you serve, there can be a lot to consider; below is a summary of the key ones that retailers must consider.
The General Data Protection Regulation (GDPR)
Retailers and e-commerce companies must follow the EU’s General Data Protection Regulation (GDPR) when collecting and handling European customer data, regardless of whether they are an EU-based organisation or not. The GDPR mandates that companies get clear, affirmative consent when gathering personal information like names, contact details, purchase histories, and any data used for behavioural profiling or targeted advertising purposes.
Specifically, transparent notice and explicit opt-in consent are required to process customers’ personal data for behavioural advertising. This includes building profiles that analyse or predict personal preferences, interests, spending habits and other characteristics. Companies must clearly explain that this type of processing is taking place and enable customers to choose whether they agree.
Companies must also provide customers access to their stored personal information and allow them to corrector delete errors upon request. Easy-to-understand privacy policies must explain what data a retailer collects and how they use it. Strict rules also govern transferring customer data internationally outside the EU. Moreover, larger companies must appoint Data Protection Officers to monitor GDPR compliance across operations.
Should a retailer experience a data breach that is likely to risk customers’ rights and freedoms, retailers must notify their data protection authority without undue delay. In some cases, they may also need to communicate details of the breach directly to impacted individuals. Therefore, establishing robust breach detection, investigation, and disclosure procedures is a critical GDPR compliance obligation for retailers.
California Consumer Privacy Act (CCPA)
The CCPA covers for-profit companies that meet certain thresholds, such as having over $25 million in annual revenue or buying/selling the personal data of 50,000+ California consumers annually.
For retailers and online stores that meet these thresholds, the CCPA requires additional transparency, disclosures, and rights around California consumers’ personal data. Companies must disclose what types of personal information they collect and how it is used. Consumers must be allowed to opt out of having their data sold to third parties.
Retailers must also implement reasonable security procedures like encryption, access controls, intrusion detection, and regular testing to protect this data from breaches or misuse. If a company does experience a breach impacting over 500 California residents, they must notify consumers immediately. Failure to have reasonable security or properly notify breached consumers can result in hefty civil penalties under CCPA.
With California leading the way in digital privacy laws, the CCPA signals a significant shift for e-commerce providers, marketing technology companies, brick-and-mortar retail chains, and other retail leaders in the United States. Virginia, Colorado, Utah, and Connecticut all introduced similar laws that will take effect in 2024.
Many other states also have breach notification laws that require consumer notification if a data breach impacts that state’s residents. So, retailers need to comply with rapidly evolving state-level privacy laws across much of the country in addition to the CCPA in California.
The Gramm-Leach-Bliley Act (GLBA)
Many retailers offer customers financial products and services like credit cards, financing programs, and loyalty rewards programs. Under the US federal Gramm-Leach-Bliley Act (GLBA), retailers providing these types of financial offerings must adhere to strict requirements around transparency, data privacy, and security.
Specifically, GLBA requires retailers to clearly disclose their information collection and sharing practices directly to customers. In many instances, Companies must allow consumers to opt out before sharing data with external parties.
Retailers also need to implement stringent controls and safeguards to protect customer data. This includes designating a security coordinator, performing risk assessments, utilising encryption technologies, and properly disposing of records. Most critically, GLBA lays out compliance requirements in case of a data breach, including promptly notifying impacted customers. With data vulnerabilities and cyberattacks on the rise globally, adherence by GLBA is crucial for retailers focused on financial services to maintain customer trust and avoid regulatory enforcement actions.
Network and Information Security Directive (NIS2)
NIS2 aims to establish a higher level of cybersecurity and resilience within the EU with more robust cybersecurity obligations. It specifically designates online marketplaces, search engines, cloud services, and more as “essential” or “important” entities that will be regulated starting in October 2024. This means many retailers and e-commerce companies like Amazon, Shopify, and eBay will fall under NIS2’s scope. Retail companies providing critical services like payments and logistics may also fall under NIS2.
Under NIS2, covered retailers must comprehensively assess the risks to their IT systems, applications, networks, and data. This means evaluating:
- Infrastructure security
- Software vulnerabilities
- Insider threats
- Third-party supplier/vendor risks
Based on identified risks, retailers will then have to justify the implementation of cybersecurity measures like multi-factor authentication (MFA), data encryption in transit and rest, regular backup of data, ongoing penetration testing and vulnerability scanning, as well as technologies and processes for threat detection, incident response and supply chain risk management.
NIS2 also creates binding cyber incident reporting requirements for retailers. In the event of a breach or cyber attack that materially impacts operations or data availability, they must notify national authorities in each EU state they operate in and proactively communicate details to impacted customers.
With intricate digital supply chains and data flows, major retailers globally should get ready now for NIS2’s extensive cybersecurity obligations tied to their connections to the EU economic zone. Advanced preparation will help major brands build resilience while avoiding disruptive enforcement actions.
The Payment Card Industry Data Security Standard (PCI DSS)
Any retailer that accepts popular credit cards or processes electronic payments must comply with the Payment Card Industry Data Security Standard (PCI DSS). Considered one of the most widely adopted global data security protocols, PCI DSS is a set of technical and policy controls managed by the PCI Security Standards Council to safeguard sensitive cardholder information and transaction data.
Specifically, retailers processing payments must prove compliance by implementing:
- End-to-end encryption
- Maintaining secure systems and applications per PCI guidance
- Restricting access to payment data
- Building firewalls around cardholder environments
- Protecting IT infrastructure with anti-malware protections.
Retailers must also conduct external and internal vulnerability scans, perform penetration tests, establish incident response procedures, monitor all third-party vendors, and undergo compliance audits annually or quarterly, depending on transaction volume.
In March 2022, PCI-DSS was updated from version 3.2.1 to version 4.0, focusing on maintaining continuous security and enhancing payment validation processes. Organisations have until March 31, 2024, to adopt the updated version– with an 18-month deadline of achieving full compliance by March 2025.
PCI DSS v4.0 consists of 12 requirements that are organised into six categories, including:
- Increased focus on security as a continuous process
- More flexibility in how organisations can achieve their security goals
- New requirements for service providers, including the use of multi-factor authentication and the implementation of a zero-trust architecture
- Revised requirements for software development, including secure coding practices and the use of automated tools for vulnerability scanning and penetration testing
- More stringent rules for password management, including the use of passphrases and the prohibition of certain types of passwords
- Encouraging more systematic and effective encryption, including supporting the introduction of quantum-safe cryptography
The 12 controls within PCI DSS 4.0 have been updated to keep pace with both changes in the industry and cybercriminal tactics.
The Consequences of Poor Information and Data Security Practices in Retail
A failure to take information security and data privacy seriously can profoundly impact retailers, e-commerce providers, and merchant organisations.
The Financial Bottom Line Of Non-Compliance
All the regulations and standards highlighted in this blog come with financial penalties for non-compliance. Companies that violate GDPR face strict penalties and can be fined up to €20 million or 4% of global revenue, whichever is higher. On top of this, individuals (data subjects) can claim compensation for damages.
A company in breach of PCI-DSS can be fined from $ 5,000 to $ 100,000 a month (roughly 4,000 to 80,000 in GBP) depending on the size of the company and the duration and scope of non-compliance.
Also, the bank may impose other penalties, such as increasing transaction fees or terminating the relationship altogether. Additional fines, which increase over time, may be imposed for repetitive violations.
Businesses that violate GLBA face fines of up to $100,000 per violation, and individuals in charge of these businesses can be fined $10,000 per violation, with up to five years in prison.
NIS 2 comes with much stricter enforcement requirements than its predecessor. Penalties for nonconformity range from being security audited and ordered to follow set recommendations to fines of €10 million or 2% of the organisation’s total worldwide turnover – whichever is higher.
The maximum civil penalty for an unintentional CCPA violation is $2,500 per breach. For intentional violations, the maximum fine is $7,500 per breach. The maximum penalty amounts sound relatively modest, but if a company was found to have intentionally committed thousands or even hundreds of thousands of intentional violations, for example, by not meeting CCPA opt-out requirements, the total amount could be huge.
CCPA also permits consumers to claim $750 per consumer per incident or to seek actual damages where loss can be shown to have occurred due to the breach.
As you can see, the financial implications of non-compliance can be significant and have a long-term impact on a company’s bottom line and long-term profitability.
Reputation Is Everything
Non-compliance goes beyond the more obvious financial implications to include:
Reputational damage: A breach of personal data can cause significant harm to an organisation’s reputation, leading to a loss of customers and a decrease in trust. The negative impact on a company’s reputation can take years to repair.
Lawsuits: Organisations can face lawsuits from individuals whose personal data has been breached, leading to further financial penalties and reputational damage.
Decreased customer trust: When personal data is breached, customers can lose confidence in the organisation, resulting in reduced customer engagement and potentially damaging the organisation’s brand and reputation.
Decreased stock value: Data breaches can harm a company’s stock value as investors become concerned about potential financial penalties and reputational damage.
Greater scrutiny by regulatory bodies: Organisations that experience frequent data breaches or non-compliance issues can face increased audits and investigations by regulatory agencies. The organisation risks even tighter regulations being imposed if problems persist.
A Standards-Based Approach to Retail Cybersecurity
Adopting an established information security framework is one of the most effective ways retailers can reassure customers and partners that they have robust security foundations. The ISO 27001 framework is a globally recognised international standard for information security management systems (ISMS) that provides a systematic and risk-based approach to securing sensitive information assets.
By implementing the ISO 27001 framework, retailers can build a comprehensive information security management approach that includes policies, procedures, controls, and risk management practices to protect against potential security threats and vulnerabilities and ensure the security of their customers’ data and evidence of their capabilities.
Some of the core requirements of ISO 27001 will enable organisations to demonstrate high levels of digital trust, including:
Taking A Risk-Based Approach: The ISO 27001 framework requires organisations to identify and assess risks to their information assets and implement appropriate controls to mitigate those risks. This approach ensures that information security measures are tailored to the specific risks and needs of the organisation, which helps build trust with customers and stakeholders.
Ensuring Compliance with Regulations: The ISO 27001 framework is designed to help organisations comply with various regulatory requirements related to information security, including data protection laws, privacy regulations, and industry-specific regulations. Organisations can build trust with regulators and other stakeholders by demonstrating compliance with these regulations.
Enabling Continuous Improvement: The ISO 27001 framework emphasises the need for ongoing monitoring, review, and improvement of the information security management system. By continuously improving their security measures, organisations can demonstrate their commitment to protecting sensitive information and building trust with stakeholders.
Effectively Managing Third-Party Providers: ISO 27001 certification is recognised globally as a validation of an organisation’s information security management system. By obtaining certification, organisations can demonstrate to customers, partners, and other stakeholders that they have implemented a comprehensive and effective information security management system.
PCI-DSS and ISO 27001:2022
Interestingly, many PCI-DSS principles can be mapped directly to ISO 27001, creating the opportunity to take an integrated approach that can offer cost benefits and operational efficiencies, reducing the resources required by focusing on the frameworks’ shared requirements.
Further benefits include enhancing the overall security posture against a broader range of threats by exploiting the strengths of both standards to identify and fill gaps. Ultimately, the integrated perspective facilitates continuous improvement through regular reviews and better adaptability to emerging threats.
We’ve created a handy guide that outlines this approach to concurrent compliance with both ISO 27001 and PCI-DSS v4, which you can access here: Mapping the PCI-DSS v4 Framework to the Updated ISO 27001:2022
Take A Secure Stance Against Retail Cybersecurity Threats
As the retail landscape continues to shift online, cybersecurity must be a top priority for retailers of all sizes. Between mounting cyber threats, complex regulations like GDPR and PCI DSS, and the reputational risks of data breaches, retail brands have a lot at stake when it comes to protecting customer data.
Retailers must take critical steps to implement robust security controls, achieve globally recognised standards like ISO 27001, and take an integrated approach to meet compliance obligations. Following cybersecurity best practices and leveraging advanced technologies will help secure sensitive systems and data.
Most importantly, retailers must make cyber resilience a continuous process rather than a one-time project. As threats and regulations evolve, so must cyber defences. By making information security a regular boardroom discussion and dedicating adequate resources, retailers can become more secure, trusted stewards of customer data. The financial, reputational and legal consequences of inaction are too significant to ignore.
Strengthen Your Compliance Today
If you’re looking to start your journey to PCI-DSS V4 compliance, we can help.
Our ISMS solution enables a simple, secure and sustainable approach to PCI-DSS and information management with ISO 27001 and over 100 other frameworks. Realise your competitive advantage today.