In 2013, Target was the subject of a massive data breach that leaked tens of millions of customers’ debit and credit card information. I was interviewed on the air about the event and hinted that I would have expected other chains to come forward. This was a straightforward skimming attack scaled to enormous proportions, but there’s no reason it should be limited to just Target. Hours later, Neiman Marcus, a chain based in Texas, announced that it too had been breached. 24 hours later, Reuters trumpeted the existence of at least 3 more retailers that were in the same boat but whose identities were not disclosed.

In a press release and on radio interviews, I outlined the benefits of scrutinizing statements and setting up credit monitoring for individuals. Businesses, however, stand to benefit from having proper security in place. Cameras should monitor all activity around point-of-sale terminals and physical access must be enforced with due care. Customers will likely continue to be victimized for a long time and one of the ways is through phishing (as I wrote in an article called “Millions of Target customers should expect a surprise in their inboxes“). In instances like the Target breach where the malware is installed remotely, controlled centrally, and deployed en masse, reliance on anti-malware will not save the day. No self-respecting hacker will ever launch an attack without testing its code against all of the top detection tools. Once tested in a controlled environment against systems of varying resistance to infection, the perpetrator has to eventually ship it. Those attacks can only be thwarted by layered defenses working effectively to block, detect and react to attacks. It can be done ad-hoc, just not well. For that, retailers will need to up their game and adopt standardized controls and secure processes.

But what will really make a difference is the adoption of PCI-DSS 3.0 (and EMV, but already most Canadian retailers are already using chip-and-pin technology.). The updated industry standard clarifies security best practices and helps organizations apply defense-in-depth for layered protection from the ground up. By following its guidance, companies of all sizes can protect:

– their payment devices against tampering;

– monitor systems and premises using video cameras;

– implement technologies to detect and monitor all suspicious activity.

Numerous other best practices are specifically laid out, but the dirty little secret of the industry is that up to 36% don’t know how they’re doing and of those that have gone through an audit, it may have provided insufficient learning or inadequate assessment, leading to a false sense of security. 

Target had such a false sense of security and it passed it on to its customers (or ‘guests’ as it calls them). The oversight amounted to a drop of 2.5%-to-6% in sales for the critical holiday season. But it hopefully it taught the company a valuable lesson: don’t rest on your laurels. Test your security continuously if you want to have a chance to keep up with the bad guys.

If you’d like to get started, request Informatica’s Assurance Pack and discover where you stand vis-a-vis PCI-DSS compliance, CASL (Canada’s Anti-Spam Law) and PIPEDA (Personal Information Protection and Electronic Documents Act). You may be surprised at what you find. Email [email protected] to order a PCI-DSS self-assessment or the whole Assurance Pack. You will definitely find it a worthwhile exercise.

Claudiu Popa – CEO, Informatica Group

Claudiu Popa is a public speaker, cybersecurity expert, and passionate defender of privacy rights who engages audiences through storytelling and weaponizes academic courses, radio, television, podcasts, social media, and the written word to fight for the vulnerable in society and catalyze positive social change in Canada.

Similar Posts