Essential Retail (ER): What should be key data security priorities for organisations in 2016?

Jeremy King (JK): Simply put, reducing risk and making data security business-as-usual. Organisations cannot afford to do anything less -not with 90% of large organisations and 74% of small organisations suffering data breaches, and the average cost of a breach reaching well over £3 million. 

The European government is introducing new regulations to protect customer data this year, which puts added pressure on organisations to demonstrate their data security efforts. Even though these regulations will not come into effect until late 2017 or early 2018, good data security takes time and effort, so organisations need to make this a priority now.

ER: What about top threats or areas of concern for retailers?

JK: Phishing continues to be an easy way for attackers to get into merchant systems - but it's something that can be prevented. Retailers need to be aware of these attacks and others and train their employees on how to spot them and protect against them. This is where incidence response comes in. If we take the example of phishing, on average it still takes an organisation 23.7 days to resolve a cyberattack caused by phishing or social engineering! Improving security controls and processes to identify and detect attacks quickly, using the PCI Data Security Standards, and establishing an incidence response should also be a key concern for organisations in 2016. 

Card-not-present fraud continues to be an area of concern as well. At 71% in Europe, it's at an all-time high. We can expect this will continue to climb unless we start taking advantage of technologies like point-to-point encryption and tokenisation to devalue the data so that it's useless to criminals.

ER: What can you tell us about the Council's plans to release PCI Data Security Standard (PCI DSS) 3.2 in 2016?

JK: PCI DSS 3.2 is planned for release in Q2 to include the revised migration dates for moving away from SSL and TLS encryption protocols, published in December 2015, and to address changes in the threat and payment acceptance landscape. As the DSS is a mature standard, the modifications are focused on key areas that need to be strengthened, based on what we are seeing in breach reports. For merchants, the biggest change in addition to the previously announced revised SSL/TLS migration dates, is regarding the use of multi-factor authentication by administrators accessing the payments environment.

ER: Any tips for organisations on preparing for PCI DSS 3.2?

JK: Most importantly, review the guidance from last year on migration away from insecure Secure Sockets layer and early Transport Layer Security (TLS) encryption protocols - even though the dates for migration have been extended, it's critical not to wait to address this issue. If you haven't already, put mitigation controls in place as soon as possible, and start working toward a full migration plan.

Start looking at how two-factor authentication works within your environment and whether the administrators that have access to the cardholder data network are doing it in a proper way, according to the current version of the standard.

Lastly, it is a great opportunity to take stock of your security programme. How are you accepting payments and is there a way to reduce the risk to your customers and organisation by changing business practices for cardholder data exposure? Evaluate newer payment technology like tokenisation and encryption, and how you may be able to reduce your risk and simplify your PCI DSS compliance programme. Check in with your third-party service providers to make sure they are aware of the importance of the upcoming changes.

Jeremy King's presentation is part of today's Payments Conference programme at RBTE 2016, which has been running this week in London. The session provides an update on all the latest data security news courtesy of the PCI Security Standards Council, including issues to consider when implementing point-to-point encryption.

Click below for more information:

PCI Security Standards Council