The past year has seen merchants, like many organizations, forced to adapt and change the way they work. Businesses rushed online to sell as lockdowns shuttered the high street, while employees were required to work from home. As essential as these trends were from a business perspective, they may also have introduced extra cyber risk.
The truth is that customer card data remains a highly lucrative target for cyber-criminals. It has made retail the most targeted sector for three years in a row, with the majority of attacks last year focused on stealing card-not-present (CNP) data, according to one report.
That’s why ZeroRisk has put together a handy five-point guide to help you protect your online store. It’s based on the findings of detailed research we’re currently finalizing on the e-commerce risks facing Irish merchants.
PCI DSS compliance can be a burden. Merchants are unsure which tools they need to stay protected and can find the whole process an administrative nightmare, which offers little obvious value. For smaller businesses with fewer resources the challenge is multiplied. Acquirers are sometimes guilty of failing to provide the necessary support and guidance to streamline the process and communicate its importance.
However, it’s never been more important for merchants to manage cyber risk in their business. Investments in cloud-based technologies have helped to support remote working and online commerce, but they may also expose your business to new threats. Home workers, for example, could be using unsecured networks and devices, and/or be more distracted and prone to fall for phishing attempts. Internal IT support may be less easy to get hold of.
In the meantime, cyber-criminals continue to probe for any gaps in protection. According to IBM, scanning for and exploiting vulnerabilities was the number one threat vector in 2020, surpassing the perennial favorite of phishing. It also warned that Europe was the most attacked geographical region, accounting for nearly a third of attacks. And targeting of cloud systems was commonplace.
In light of these escalating threats, we recommend merchants:
In addition, ports commonly recognized as insecure would put the business at high risk of a cyber-attack if left open. This would be an immediate risk to data confidentiality and it is recommended to conduct at least a vulnerability scan or to contact your payment service provider or security staff. This type of vulnerability also violates the PCI DSS and will prevent you from achieving compliance.
Remember, security isn’t a case of set-and-forget. You’ll need to continually review your posture in line with the latest guidance. But by following the above, you’ll at least have a baseline of effective protection on which to build a thriving online business.
The legacy snapshot of a PCI DSS SAQ will not provide the kind of continuous insight MSPs need. Instead, automated, contextualized risk assessments at scale are required.
This guest blog outlines some tips for maintaining the cyber security of your business.