Over 90% of US Retailers Fail PCI DSS

Security in the retail industry has significantly worsened over the past year, to the point that over 90% of domains analyzed recently were found to be non-compliant with PCI DSS.

SecurityScorecard analyzed 1444 domains in the US retail industry from October 2017 to March 2018, discovering that although cyber-criminals had become increasingly sophisticated, IT security departments had largely failed to keep pace.

Application security was a particular challenge, with retail second only to the entertainment sector in its poor performance.

When it came to social engineering, often the first stage of an attack or data breach in the form of phishing emails, the sector performed worst out of the 18 appraised.

In 91% of retail domains analyzed, the business failed four or more requirements of the key PCI DSS standard, with requirement six — dealing with maintaining secure systems and applications — particularly troublesome for 98%.

This includes requirement 6.2, which mandates organizations keep up-to-date with security patches: applying critical ones within one month and others within three. Some 91% failed this requirement.

“A reason many retailers lack compliance with Requirement 6.2 is that the increased number of vendors makes mapping updates more time-consuming,” the report claimed. “A retailer that uses different vendors for cloud storage, operating systems, data backup, mPOS, and POS may have a hard time following every update for each of these. In addition, some updates may be critical security updates while others focus on better usability.”

As part of the PCI DSS requirement, organizations must also understand data flows and the systems, servers, and networks that need to be protected: another area of weakness for retailers, according to the report.

“As part of the process, organizations need to build firewall and router rules that restrict inbound and outbound traffic,” it explained. “These restrictions need to specify all ‘untrusted’ networks and hosts, especially wireless ones. As part of this restriction, no public access can occur between the internet and system components in the Cardholder Data Environment (CDE).”

The challenge is ensuring retailers move from “point-in-time” compliance to continuous efforts, SecurityScorecard argued.

What’s Hot on Infosecurity Magazine?