Payment card industry (PCI) compliance was more critical than ever this holiday season as retailers experienced both in-store and online sales growth. But security professionals in the sector can’t afford to let their guard down yet. As the shopping season winds down, retailers face the challenge of securely handling massive customer transaction volumes across both on-site point-of-sale (POS) terminals and e-commerce portals — and ensuring that post-holiday credit card refunds don’t compromise consumer data. How can they maintain PCI compliance amid all this chaos?

‘Tis the Season to Spend

Final numbers have not yet been tallied as of this writing, but NPR forecasted holiday retail spending to reach $124 billion in 2018 after Black Friday exceeded expectations with 27.8 percent gains over last year.

Despite online gains, however, Adobe predicted that 83 percent of shopping would still take place in-store. Research firm Deloitte reported that “consumers are upbeat about the economy,” and with 73 percent expecting continued economic stability or growth, average holiday spend per consumer is predicted to increase by $300.

Mitigate Rising Retail Risks

Threat actors are also enjoying the uptick in consumer spending. According to U.S. News, POS fraud is up 8 percent this year, following a 70 percent jump in 2017.

This often takes the form of card skimmers installed at POS locations. But, as CSO Online reported, recent research demonstrated that it’s possible — though unlikely — for scammers to steal credit data via radio frequency identification (RFID). More practical forms of credit card fraud include retail and hospitality database breaches and local government compromises, which can expose millions of consumer credit records.

As consumer volumes increase during the holiday season, retailers are hard-pressed to ensure both in-store and online security. For example, brick-and-mortar locations often face the challenge of managing temporary staffers who aren’t fully trained in POS security and may inadvertently expose consumer credit data. Online, the rush to provide substantive server resources and accommodate Cyber Monday shoppers can lead to gaps in authentication and authorization, in turn reducing overall security.

Improve Presence of Mind

The PCI Data Security Standard (DSS) provides a common compliance framework to ensure that credit card data is properly handled, stored and accessed by retail enterprises. The framework was most recently updated in May 2018, and it now requires providers to use early Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to maintain risk and mitigation plans.

In addition, the updated PCI DSS mandates multifactor authentication (MFA) for all nonconsole administrative access alongside pre-existing requirements for documented descriptions of cryptographic architecture and penetration testing on segmentation controls every six months.

Despite the critical role of PCI compliance in credit card security, however, reported that 91 percent of retailers would likely fail an audit. In part, this stems from the increasingly complex nature of PCI DSS standards — dedicated IT teams or third-party providers are often required to ensure full adherence to new obligations. During the holidays, more high-priority threats such as distributed denial-of-service (DDoS) attacks and targeted phishing efforts can shift corporate priorities, and PCI compliance often suffers as a result.

Return to Spender

Despite slacking compliance rates, many retailers have established solid best practices for handling credit data at in-store POSs and have implemented controls for detecting large-volume or rapid transactions online. But the holidays present a new problem: postseason credit card refunds.

To help reduce holiday shopping wait times and limit in-store fraud, many companies implement seasonal limits on returns, such as prohibiting any refunds until the New Year. In addition, most sellers require consumers to present proofs of purchase before issuing any type of on-card or cash-in-hand refund.

From a data protection perspective, however, two problems exist. First is outsourcing: As noted by the PCI Security Standards Council, retail enterprises often outsource refund and charge-back processes to third-party providers. But this doesn’t provide automatic compliance; if vendors mishandle returns and expose credit data, retailers are on the hook.

Secondly, while credit card processing is often handled automatically, credit refunds typically require more direct human interaction. If employees are able to access credit data without MFA, any fraudulent refunds or chargebacks will be the responsibility of the retailer, not the credit card issuer. This is true regardless of attack origin; malicious insiders and targeted attacks carry the same risks without MFA protection.

4 Steps to Improve Your PCI Compliance Posture in the New Year

Organizations should take the following steps to manage post-holiday attacks and reduce the risk of noncompliance in the new year.

1. Patch Regularly

Frequent security updates ensure POS systems are protected from newly discovered vulnerabilities. They’re also mandated by PCI DSS; all critical patches must be applied within a month.

2. Audit Constantly

PCI DSS also requires logging and auditing credit data access. Ideally, companies should review these logs daily for indications of potential compromise, such as a sudden spike in credit card refunds at a specific POS terminal or retail location.

3. Limit Data Storage

As noted by Retail Sector, many companies still store sensitive authentication data (SAD), including magnetic stripe and personal identification numbers (PINs). Tokenization, combined with the use of third-party credit vaults, can both boost PCI DSS compliance and reduce the risk of theft.

4. Strengthen Authentication

It’s not enough for companies to use MFA. Retailers must also ensure that their MFA requires the simultaneous entry of multiple factors and doesn’t provide data on which factors resulted in access denial. In practice, this means users should be able to provide their username, password and one-time security code simultaneously, reducing attackers’ ability to determine the limiting factor.

The holidays represent huge opportunities for retailers and attackers alike. Reducing risk in the post-holiday rush to return unwanted gifts and process credit card refunds demands improved PCI compliance, including regular patching, consistent audits, reduced data storage and strong authentication.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…