The retail industry’s payment security problem

This year’s Verizon Payment Security Report found the retail industry has fallen backwards across all 12 key requirements of the Payment Card Industry Data Security Standard (PCI DSS).  

Retail is especially bad at testing security systems, encrypting data, securing transmitted data and authentication, according to Verizon.

“There’s never been a harder time to be a retailer,” says Rebecca Ledingham, director of security, monitoring and response for Mastercard. “You used to just have security concerns around shoplifting but now with the advent of cybercrime you are a target of anyone across the world that chooses to target your business.”

Ledingham believes some merchants are either “paying lip service to cyber security” or they “think a breach will never happen to them” and she urges retailers to invest in cyber security.

PCI compliance

The UK retail sector is a particular target for Eastern European organised crime gangs because of the size of the market and the UK’s reputation for good credit balances and credit history.

Retailers should begin by ensuring they are fully PCI compliant because if they are, the chance of getting breached is “pretty low”, according to Worldpay’s chief information security officer, Alan Osborne.

But once compliant, retailers must ensure they follow procedures to maintain compliance.

Most of the companies assessed fell out of compliance within nine months of validation, according to Gabriel Leperlier, head of continental Europe advisory services GRC/PCI at Verizon.

Osborne says the company’s internal stats have shown the retail sector is most commonly hit after failing to maintain their website security.

“It looks like the hackers are targeting vulnerabilities that are a couple of years old,” says Osborne. “They are looking for low hanging fruit.”

Social engineering

Even if retailers are properly maintaining their systems they still need to be wary of social engineering.

“If they can’t exploit a vulnerability they are going to go after you via social engineering and that usually involves sending an email to your customer services department with a malware infected attachment purporting to be a receipt or complaint,” says Ledingham.

The way to protect against this is through staff training and awareness.

“Recognising spam and social engineering emails is your first line of defence,” explains Ledingham. “Your staff are usually the ones that will cause you or save you from problems.”

Dedicated teams of security experts are also a pre-requisite in order to spot the warning signs.

“You can have controls and technology in place, but if you don’t have the right skills you will be breached,” says Leperlier.

Target’s security breach happened because despite it having the controls in place, the alerts went unnoticed.

“Who was really able to understand it was an attack?” asks Leperlier. “No one.”

Payment security

Osborne believes the payment method is largely irrelevant when it comes to the likelihood of a breach.

“Breaches tend to happen not in the payment processing environment but within each individual businesses’ website,” says Osborne. “They will develop their own website and leave a vulnerability in there which allows a hacker to get in and grab the data before it is sent off to the payment processing.”

David Birch, digital financial services advisor at payments consultancy, Consult Hyperion, warns that being PCI DSS compliant is not always a true safeguard.  

“Being PCI compliant does not make you invulnerable to breaches,” says Birch. “I’m not sure if there is much more to be done [in making data harder to steal], the alternative is making it harder to use that data, which is going to two factor authentication.”

As a result, Birch recommends retailers turning to payment methods such as Apple Pay and Samsung Pay.

“We should not be looking backwards and putting Elastoplast on things, we should be moving on,” says Birch.  


Ledingham advocates combating hackers by working to ensure any stolen data is worthless to them.

“If it is tokenised the bad guys might be able to get to it, but it does not mean anything to them and they cannot use the data, so there is no black market value to it,” says Ledingham.

Alongside worrying about substantial fines from card providers in the event of a breach, retailers will soon face the prospect of crippling fines from the EU’s GDPR regulations.

These would amount to €20 million or 4% of turnover in the event of a breach, whichever amount is higher, and could run into billions of euros for a multinational retailer.

“The interesting part will be will the European Union give the fine and to what extent,” says Leperlier.

The threat of cyber attacks is here to stay until retail companies get their house in order.

“Cyber criminals move where the money is,” concludes Ledingham. “In the short term this problem is not going to go anywhere until merchants start looking at new technologies to make their data worthless to the bad guys.”