The Gift That Keeps on Giving: PCI Compliance for Post-Holiday Season Returns

Payment card industry (PCI) compliance was more critical than ever this holiday season as retailers experienced both in-store and online sales growth. But security professionals in the sector can’t afford to let their guard down yet. As the shopping season winds down, retailers face the challenge of securely handling massive customer transaction volumes across both on-site point-of-sale (POS) terminals and e-commerce portals — and ensuring that post-holiday credit card refunds don’t compromise consumer data. How can they maintain PCI compliance amid all this chaos?

‘Tis the Season to Spend

Final numbers have not yet been tallied as of this writing, but NPR forecasted holiday retail spending to reach $124 billion in 2018 after Black Friday exceeded expectations with 27.8 percent gains over last year.

Despite online gains, however, Adobe predicted that 83 percent of shopping would still take place in-store. Research firm Deloitte reported that “consumers are upbeat about the economy,” and with 73 percent expecting continued economic stability or growth, average holiday spend per consumer is predicted to increase by $300.

Mitigate Rising Retail Risks

Threat actors are also enjoying the uptick in consumer spending. According to U.S. News, POS fraud is up 8 percent this year, following a 70 percent jump in 2017.

This often takes the form of card skimmers installed at POS locations. But, as CSO Online reported, recent research demonstrated that it’s possible — though unlikely — for scammers to steal credit data via radio frequency identification (RFID). More practical forms of credit card fraud include retail and hospitality database breaches and local government compromises, which can expose millions of consumer credit records.

As consumer volumes increase during the holiday season, retailers are hard-pressed to ensure both in-store and online security. For example, brick-and-mortar locations often face the challenge of managing temporary staffers who aren’t fully trained in POS security and may inadvertently expose consumer credit data. Online, the rush to provide substantive server resources and accommodate Cyber Monday shoppers can lead to gaps in authentication and authorization, in turn reducing overall security.

Improve Presence of Mind

The PCI Data Security Standard (DSS) provides a common compliance framework to ensure that credit card data is properly handled, stored and accessed by retail enterprises. The framework was most recently updated in May 2018, and it now requires providers to use early Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to maintain risk and mitigation plans.

In addition, the updated PCI DSS mandates multifactor authentication (MFA) for all nonconsole administrative access alongside pre-existing requirements for documented descriptions of cryptographic architecture and penetration testing on segmentation controls every six months.

Despite the critical role of PCI compliance in credit card security, however, PYMNTS.com reported that 91 percent of retailers would likely fail an audit. In part, this stems from the increasingly complex nature of PCI DSS standards — dedicated IT teams or third-party providers are often required to ensure full adherence to new obligations. During the holidays, more high-priority threats such as distributed denial-of-service (DDoS) attacks and targeted phishing efforts can shift corporate priorities, and PCI compliance often suffers as a result.

Return to Spender

Despite slacking compliance rates, many retailers have established solid best practices for handling credit data at in-store POSs and have implemented controls for detecting large-volume or rapid transactions online. But the holidays present a new problem: postseason credit card refunds.

To help reduce holiday shopping wait times and limit in-store fraud, many companies implement seasonal limits on returns, such as prohibiting any refunds until the New Year. In addition, most sellers require consumers to present proofs of purchase before issuing any type of on-card or cash-in-hand refund.

From a data protection perspective, however, two problems exist. First is outsourcing: As noted by the PCI Security Standards Council, retail enterprises often outsource refund and charge-back processes to third-party providers. But this doesn’t provide automatic compliance; if vendors mishandle returns and expose credit data, retailers are on the hook.

Secondly, while credit card processing is often handled automatically, credit refunds typically require more direct human interaction. If employees are able to access credit data without MFA, any fraudulent refunds or chargebacks will be the responsibility of the retailer, not the credit card issuer. This is true regardless of attack origin; malicious insiders and targeted attacks carry the same risks without MFA protection.

4 Steps to Improve Your PCI Compliance Posture in the New Year

Organizations should take the following steps to manage post-holiday attacks and reduce the risk of noncompliance in the new year.

1. Patch Regularly

Frequent security updates ensure POS systems are protected from newly discovered vulnerabilities. They’re also mandated by PCI DSS; all critical patches must be applied within a month.

2. Audit Constantly

PCI DSS also requires logging and auditing credit data access. Ideally, companies should review these logs daily for indications of potential compromise, such as a sudden spike in credit card refunds at a specific POS terminal or retail location.

3. Limit Data Storage

As noted by Retail Sector, many companies still store sensitive authentication data (SAD), including magnetic stripe and personal identification numbers (PINs). Tokenization, combined with the use of third-party credit vaults, can both boost PCI DSS compliance and reduce the risk of theft.

4. Strengthen Authentication

It’s not enough for companies to use MFA. Retailers must also ensure that their MFA requires the simultaneous entry of multiple factors and doesn’t provide data on which factors resulted in access denial. In practice, this means users should be able to provide their username, password and one-time security code simultaneously, reducing attackers’ ability to determine the limiting factor.

The holidays represent huge opportunities for retailers and attackers alike. Reducing risk in the post-holiday rush to return unwanted gifts and process credit card refunds demands improved PCI compliance, including regular patching, consistent audits, reduced data storage and strong authentication.

Contributor'photo

Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...