UK consumers love to shop online.
The IMRG-Capgemini eRetail sales index predicted that by the end of 2014, eCommerce would have grown by 17% in the UK compared to 2013: from £91 billion to £107 billion. Consumers have been taking advantage of the convenience of eCommerce – and trusting their personal details to the retailer.
According to the KPMG Holiday Shopping Survey, 47% of online shoppers ‘store some or all of their credit card information on retailer websites for quick and easy access to their accounts’.
When it comes to the security of that data, KPMG found that 38% of consumers said that they would view a retailer negatively if the company experienced a security breach. 27% said that they would only shop with a retailer who had experienced a security breach if they could not find that product anywhere else, while 8% went further and said they’d refuse to shop with that retailer altogether.
Given the potential impact on a retailer’s bottom line, it is worrying for retailers that 40% of consumers had not changed their password in the past 12-months.
As KPMG argues, both retailers and consumers need to be responsible for protecting personal data and preventing security breaches, but there are certainly additional safeguards that retailers can implement. Tony Buffomante, Partner and Retail Cyber Security Leader for KPMG comments:
“Cyber security is a joint venture between the retailer and the consumer. Both parties need to fortify each end of the transaction and not assume that one end is more secure than the other. From the consumer side, that means installing challenging passwords, changing them regularly and monitoring their accounts. For the retailers, they need to implement policies, procedures and controls to mitigate cybersecurity threats and constantly monitor for potential breaches of customer information”.
We should not underestimate the problems of cyber-attacks and data breaches facing retailers. Between January 2005 and June 2014, PrivacyRights.org reports that in excess of 868 records with sensitive information were breached.
As the majority of retailers store credit and debit card information (numbers, expiration dates, verification codes and personal data) online, this information can be susceptible through a number of weak points: point-of-sale devices, web-applications, data transmissions, wireless hotspots, personal computers and more.
Any company or organisation that stores, processes or transmits cardholder data is required to comply with Payment Card Industry (PCI) Security Standards, which are aimed at helping retailers to prevent payment card fraud and protect cardholders data.
A retailer (in all instances) failing to comply with any part of the regulation can be heavily fined by up to $500,000 by the PCI Security Standard Council. It is very much the responsibility of the retailer to manage their data, and, regardless of the size of the retailer, compliance must be assessed on a regular basis.
If you are operating on the IBM i, you can download a useful whitepaper to learn how to prevent theft of cardholder data from your IBM i system, specifically what elements of the 12 PCI DSS compliance requirements are relevant to IBM i security and understand how you might implement IBM i security in your business against each of the requirements.
The IBM i presents a unique set of challenges when it comes to PCI DSS compliance. IBM i hosts payment card processing applications such as homegrown ERP and web applications that accept and process payment cards. Although IBM i systems are perceived as secure, this is not wholly accurate – system exit points are vulnerable to malicious attack and comprehensive application data trails are not provided by the operating system, allowing exposure of data and creating a new security need.
You can download a copy of the whitepaper here.
Posted by Paul on 9th January 2015.