How to provide protection against fraud in a retail setting
Providing protection against fraud for customers has become a necessity. If a retailer cannot offer its customers protection against fraud and identity theft, they'll likely give their business to a competitor.
Unfortunately, the attacks show no signs of abating. The Identity Theft Resource Center reported that there have been more than 560 data breaches in the U.S. through the first nine months of 2015. These attacks have affected over 150 million people. Retailers may have a false sense of security because they adhere to Payment Card Industry Data Security Standards (PCI DSS). However, PCI DSS is not a complete solution and requires constant vigilance, as demonstrated by recent breaches at major retailers.
Assessing the current situation, security experts offer the following tips to retailers who want to provide their customers with protection against fraud:
Isolate POS systems
If a retail point-of-sale system is connected to the Internet or remotely accessible, it can lead to problems. Retailers that isolate their POS systems will limit the extent of an attack. It's also a good idea to break up the system into zones and groups to limit the information an attacker can access.
Traditional firewalls have become obsolete because they don't inspect the data of network packets and are unable to distinguish business-based apps from other traffic. In contrast, next-generation firewalls address these limitations by using various techniques to identify apps while using deep-packet inspection to pinpoint malware and other anomalies to protect against fraud. Fraud detection has traditionally revolved around monitoring traffic volume and looking for abnormalities, but deep-packet inspection gives a fuller picture of the data traffic to and from an organization.
Enact a full mobility security plan
Mobile is often the weak link for organizations. Since the BYOD trend is still relatively new, IT departments have a variety of methods for initiating mobile security. One method is to show zero tolerance for migrating sensitive company information onto mobile devices. According to InformationWeek's 2014 Mobile Security Survey, nearly half of the technology experts polled don't allow corporate data to be stored on personally owned devices. Of those that do, 33 percent require the data be stored in a container.
CIO also advocates for "basic limitations on the mobile devices themselves (password and timeout requirements, software updates, and policies against jailbroken devices and downloads from untrusted developers) and at the data level (appropriate access levels for employees, automatic encryption and ongoing employee training)."
Dispose of unneeded data
While credit data is an obvious lure for hackers, retailers often have other sensitive information on hand, like loyalty data or employee information. Often, data on hand isn't really necessary and presents an avoidable security risk. PCI standards suggest getting rid of such data.
Follow basic company-wide security guidelines
Following basic security guidelines may sound like common sense, but retailers that are not adhering to a company-wide security checklist are leaving themselves open to attacks. At minimum, a security plan for providing protection against fraud should include:
- Two-factor authentication.
- Regular installation of patches and software updates.
- Education among staff about phishing and malware attacks via email.
EMV is not a cure-all
As of Oct. 1, 2015, retailers will be responsible for offering Europay, MasterCard and Visa (EMV) compliance. While EMV, which reads a chip on a card, is a more secure solution than magnetic strip cards, hackers will likely increase their efforts in response. Retailers' best defense against such attacks is to make sure their systems are as airtight as possible.
Protect consumers' retail data with a fraud-proof buying experience. Explore IBM Retail Solutions today.