A new report from McAfee highlights that trust in retailers is frequently a leap in the dark. One of the problems is that retailers must conform to PCI standards but are not required to conform to any separate security standards. The result is a tendency to over-rely on conformance with PCI-DSS for general security. But PCI compliance primarily concentrates on the card details. These are read and transmitted by the POS terminals – and in turn the POS element is sometimes performed by old and second-hand equipment and often controlled by a third-party provider.
The result is that the retailer believes his security is handled by his provider, and the customer believes that his privacy, identity and card details are protected by the POS terminal. This might not be an accurate picture of the true situation. “The industry is very fragmented with a large base of smaller merchants utilising secondary market or used point of sale systems”, says Kim Singletary, director of retail solutions marketing at McAfee. “Merchants who do not have a broader security and privacy focus are leaving themselves vulnerable to susceptible systems and processes. If security, compliance and privacy adherence were more transparent to consumers, then retailers could look at these things as business differentiators rather than obligations.”
Because of the concentration on PCI compliance, general security is given less importance. “Retailers have worked hard not to store cardholder data, however, they still maintain a great deal of specific proprietary customer data on their networks that are a potential treasure trove for criminals and identity thieves,” explains Greg Buzek, founder and president of IHL Consulting Group. “When a security breach occurs, retailers are at risk of losing their customers’ trust and business.”
Before consumers do business with a retailer, they need to know the retailer’s security and privacy status and have visibility into how the merchant protects customer information, suggests the report. “The security paradigm needs to shift from a closed, minimal effort environment to one where merchants have a means to look at advanced technologies like whitelisting, integrity control, and hardware-assisted security to defend against the persistent threats they face every day,” concludes the report.