UK PLC (Public Limited Company) has had a rollercoaster year. But one sector that’s adapted to roll with the punches better than most is retail. Yet the dramatic pivot to online shopping has elevated the cyber-related risks for these businesses and their merchant service providers (MSPs).
As risk profiles continue to evolve, the point-in-time snapshot of a Security Assessment as Self-Assessment Questionnaire (SAQ) is looking increasingly outdated. Instead, MSPs need something more akin to CCTV —for continuous, real-time monitoring of merchant risk.
COVID-19 has provided a once-in-a-generation boost to e-commerce. Local lockdowns and social distancing forced many to try shopping online for the first time, and others to double down on e-tail. The result? Total online sales for the UK grew by nearly two-fifths (37%) last year, the biggest jump since 2007. Since the beginning of the pandemic nearly half (46%) of UK shoppers have bought a product online that they had previously only ever purchased in store.
What’s more, it’s unlikely things will go back to pre-pandemic norms. Online sales reached nearly 34% of total retail during the first peak of the crisis in May 2020, but dropped back only to 28% by September when non-essential high street stores had begun trading again. In the US, things are even more pronounced — with claims that e-commerce penetration accelerated by a decade in just 90 days at the start of the pandemic.
This changes much from a risk perspective. On the one hand, many smaller merchants have started trading online for the first time, using technology which they have limited knowledge about or resources to perform due diligence on. And, on the other, there are the larger merchants who are supporting many more online customers today, but may be doing so with legacy systems riddled with vulnerabilities. As transaction volumes increase, these organizations become a bigger target for cyber-criminals.
In this context, MSPs must make it their business to understand how risk is shifting across their merchant portfolios and then take action to mitigate it effectively. Actionable insight from payment security risk assessments has become the indispensable first step in this process.
The old ways of doing things, PCI DSS SAQs, capture the self-declared compliance status of a merchant at a certain point in time. This information may be up to 12 months old by now and, as we all know, it’s been a year of profound volatility and disruption and risk is difficult to assess.
Instead, MSPs need dynamic cybersecurity assessment tools to identify the key areas of risk in their portfolio in near real-time, focus scarce resources where they can make a difference, and then take practical steps to mitigate that risk.
