Security awareness

Security Awareness - The Payment Process and Securing the Weakest Link

Infosec Institute
October 31, 2017 by
Infosec Institute

Retail organizations have been a target of cyber criminals for a long time, as they can seize valuable personal information of employees and customers, including their credit card and banking details. According to Cisco 2017 Annual Cybersecurity Report, one in three retailers suffer revenue losses resulting from cyber-attacks, and targeted attacks are perceived as the greatest risk faced by retail organizations. Still, only 52% retail organizations believe their security arrangements to be up-to-date, while only 61% are confident about being fully compliant with the Payment Card Industry Data Security Standard.

In the past few years, the online retail market has exponentially grown. Whereas it has made our lives easier with more convenience to shop, it has also invited the attention of cyber criminals. Mobile applications, e-commerce initiatives and advanced Point of Sale systems have brought forward a huge database of financial data along with numerous access points, thus making the retail industry a desirable target.

Compliance to PCI-DSS is mandatory for retailers, but it alone cannot guarantee security. Complete security requires protection in all areas. Even with payment card security standards in place, cyber attacks can still happen through untrained or disgruntled employees, vendor networks, vulnerable internal networks, improper security procedures, or simply hackers. Because a security breach in retail not only puts retailer data but also customer data at risk, security awareness in this industry holds utmost importance and cannot be ignored.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

What risks/threats does the retail industry face?

The main challenge that retailers face today are attacks that take place from a crime perspective, whether they come from a malicious insider, an organized crime group, or a cyber-criminal looking for money. The main threat revolves around the theft of customer data, which retailers hold volumes of. Another threat for retailers arises out of being competitive by investing in apps, digital channels and payment technologies, which eventually increases risk from the perspective of cyber security.

DDoS Attacks

Distributed Denial of Service or DDoS attacks are a big threat to retailers, particularly e-commerce sites during peak seasons. Not only this, they can also cause a disruption in retail outlets by attacking computer systems. Retailers need to have the right technology and processes in place to mitigate these attacks. Also, they need to understand their role and be ready to respond in the event of a DDoS attack.

Another aspect of DDoS is threats to the recently popular IoT devices in retail industry. Where devices like RFID merchandise trackers, smart shelves, and sensors for perishable goods are gaining momentum in the retail sector, DDoS attack threats to these devices are expected to accelerate in 2017 and onwards. The research company Forrester has anticipated that with IoT manufacturers overlooking security implementation in their devices, half a million devices are expected to be compromised in the year 2017.


Ransomware, malware that locks down a user’s system and prevents them from accessing it unless a ransom is paid, is currently on the rise. A largely prevalent advanced form of ransomware that has reportedly targeted enterprises scrambles user files and makes them unreadable unless a decryption key is provided. Just like with any other enterprise, ransomware is seen as a big threat to the retail industry. According to the network security solutions company Sonic Wall, ransomware attacks rose from 3.8 million in 2015 to 638 million in 2016. Most of the time, companies have not developed data backups and are forced to pay the ransom. Updating software and taking regular backups is the simplest way to protect the systems.

Planned Crime

Cybercriminals that take planned measures to gather financial details and other data of the customer for monetization are another big threat for the retailers. They target Point of Sale (PoS) systems, stored financial data, Personally Identifiable Information (PII), or the customer database.


As a retailer, you will always have competitors aiming to bring you down or replicate your strengths. Your competitor will always look for ways to seek access into your supply chain, technology being used, manufacturing process and other business details to identify your weakness and strengths.

What regulations, policies & standards need to be considered?

Payment Card Industry Data Security Standard (PCI DSS)

This information security standard set up by the Payment Card Industry Security Standards Council (PCI SSC) applies to all organizations that store, process or transmit cardholder data. It is mandatory for all retailers that store or process credit card information to comply with PCI DSS. It consists of a set of 12 requirements, all of which are necessary to be complied with in order to ensure cardholder data security.

NIST Cybersecurity Framework

These include security practices were developed by the collaboration of International Standardization Organization (ISO) with National Institute of Standards and Technology (NIST). It is composed of risk-based guidelines and helps organizations in assessing their existing cybersecurity capabilities, establish goals and develop plans to improve and maintain cybersecurity practices. These include risk assessment, employee training, access control, data security, incident response plan, event logging and analysis, and asset management.

How do you set up a security awareness program in retail?

Security is often overlooked as a part of strategic planning in retail organizations. For a security program to be effective, a top-down commitment is necessary, and security professionals need to align with the business needs in order to take proactive measures in ensuring that the top management understands the need and importance of security.

Assess End User Knowledge

To get a baseline measurement of how knowledgeable your staff is on PCI DSS and information security as a whole, a good way to kick off your awareness program is to assess and then devise a plan to address the areas of vulnerability.

Educate them on Social Engineering, Email Security and PCI DSS

Breach in the payment process of retail organizations often occurs due to lack of awareness in these areas. This education is the basis for any retail company staff, and further knowledge of physical security, password protection, and mobile device usage is desirable for retail organizations as a part of continuing security reinforcement.

Establish IT Governance

Businesses today are conducted online. You can no longer depend only on one medium to grow your business. But with each single channel added to the business, you invite more risk. Mitigating risk and reducing operational costs at the same time requires the establishment of an IT governance program that helps integrate technology, people and processes to deliver the basis for security. A fundamental part of any training program should be employee training, as people are the weakest link in a security chain. Retailers should train employees on personal IT security and business IT security.

Evaluate Third Parties for Risk

Cyber criminals do not always attack the retailers directly. With network perimeters being hardened, they now target the supply chain as well as partner network. Retailers need to evaluate third parties according to the risk they pose to their business, and they need to engage in monitoring and mitigation of cyber risks from third parties to minimize third party risk.

Be Prepared for Targeted Attacks

Fighting cyber attacks is not the job of employees alone. Many retailers have now implemented new information security solutions, improved their policies and procedures and installed new payment system infrastructures. Still, many security solutions are vulnerable to zero-day attacks or phishing scams. The retail sector is now an easier target for criminals as compared to the finance sector, as it is weaker in security and holds a large amount of customer data at the same time. Also, monetizing cardholder data is easier than banking or insurance records. Retailers therefore need to be prepared by hardening their infrastructure and locking down systems such as PoS terminals. Additionally, they should limit access of users, create a security mindset among the staff, and create a dedicated team that specifically provides cybersecurity services.

Retail security awareness tips & resources

Tailor your Trainings for Retail Sector

Teach your staff retail-specific security measures. They should know how to manage PoS systems securely, handle customer data, maintain password security, and avoid cyber attacks that result from social engineering attacks.

Review the Results of Last Penetration Test

Evaluate your progress on the results inferred from the last penetration test. Did you successfully close the gaps? Were any policies and processes revised? This is important to avoid vulnerabilities that can emerge any time you introduce a new in-store device, carry out an online transaction with the customer or supplier, or adopt new cloud-based setups.

Keep a Robust Incident Response Team

Many of the data breaches in retail caused damage on a large scale because they went unnoticed for a significant amount of time, thus giving criminals plenty of time to steal heaps of customer data. This is why a rapid-functioning incident response team is the key to minimizing threats and losses in case of a breach. You can also outsource to a security service provider that offers incident response retainer services.

Map Threats to Vulnerabilities

A threat cannot pose a risk to an asset unless it is capable of exploiting a vulnerability. Mapping threats to your assets and vulnerabilities will enable you to identify potential risks. This assessment can help you to determine the preparedness of your organization, without having to invest in expensive technology.

Promote Employee Trainings on Security Awareness

Employees that can access customer data need to be highly aware of security issues. Alongside these business partners, vendors and third parties also require training. Re-assess the third parties that you share data with, and ensure that their policies and procedures are not exposing you to risk.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.


The retail industry is being redefined due to the ever-emerging technologies and services. As retailers move to the digital world and welcome the payment technology innovations, they also need to accept and be prepared for ever-increasing cyber attacks. Cyber security is not a matter of choice anymore, rather the need of the hour. Retailers therefore need to fill the gaps by contracting with optimized managed network security services. Enforcing strong security awareness will empower the retailers to compete and innovate with confidence.

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.