5 Ways to Protect Your Retail Store from Data Breaches

Both brick-and-mortar and ecommerce retail stores make attractive targets for hackers, especially during the holidays. Retail stores are favorite targets of cyber criminals, especially during the holiday shopping season, when brick-and-mortar and ecommerce stores are flooded with customers, many if not most of them paying with debit or credit cards. Target’s POS system was attacked by hackers during the Christmas shopping season in 2013, in what turned out to be one of the largest data breaches in history; the company ended up paying out well over $100 million to settle lawsuits from banks and affected consumers. Just a few months ago, clothier Eddie Bauer discovered that all of its U.S. and Canadian stores were infected with malware. Neiman Marcus, Home Depot, and Wendy’s have also been hit with major POS data breaches. It is far better for retailers to prevent hacks in the first place than to scramble to clean up the mess afterwards. Whether you operate a brick-and-mortar retail store, an ecommerce site, or both, here are five proactive cyber security tips to protect your store during the holiday season and throughout the year. 1. Make sure your store is PCI DSS compliant. All major payment card issuers require that the retail stores that accept their cards be PCI DSS compliant. Additionally, some states have data privacy laws with standards that mirror PCI DSS or that explicitly mentio PCI DSS. If your POS system or ecommerce site is breached, and your store was not PCI DSS compliant, you risk running afoul of your state’s laws, you may become embroiled in numerous class-action lawsuits from banks and consumers, and the credit card companies could impose fines amounting to tens or hundreds of thousands of dollars. If you do not or cannot pay the card issuers’ fines, you will no longer be permitted to accept their cards. While PCI DSS compliance alone will not protect you against breaches, compliance with this important data standard is the first step to a comprehensive data security plan. 2. Be sure to address the special security issues of POS terminals. Brick-and-mortar retail stores with POS terminals have specific cyber security needs. Among other things, none of your POS terminals should be connected to a public WiFi network, your terminals must be monitored for card skimmers and other tampering and, no matter how tight your budget, you must purchase new POS systems from a reputable dealer. See this blog for more details on protecting POS systems in brick-and-mortar stores. 3. Train all of your employees, including temps, on cyber security best practices before letting them touch any of your computers. The media portrays hackers as mysterious hooded figures sitting in dark rooms, tapping away at a keyboard as they hunt for “back doors” into networks. In reality, most data breaches are the result of hackers obtaining legitimate login credentials, often using social engineering schemes such as phishing emails or leaving malware-infected flash drives laying around for employees to pick up and insert into machines. All of your retail store’s employees, including temporary workers, must be trained in cyber security best practices before they are allowed to do any work on a computer, including a POS system. This training should include instructions to immediately report all suspicious emails or any other activity that just doesn’t seem right to a supervisor. 4. Keep all of your systems up to date. This should go without saying, but many retail stores and other businesses fail to update their operating systems, software, and firmware on a regular basis. Because new threats emerge daily, and the updates often include security patches addressing the latest dangers, this leaves them open to cyber threats. Updates must be installed as soon as possible after they are released. 5. Restrict employee system access as appropriate. No employee, whether permanent or a temp, should be given more system privileges than they absolutely need to do their job. For example, there is no reason that a packing and shipping employee needs to access employee tax data. Additionally, temporary workers should not be allowed to access your retail stores’ most sensitive data, such as customer payment information and payroll data. Jobs that require access to this type of data should be reserved for permanent employees who have a track record with your organization, have had more cyber security training than your seasonal workers, and have probably passed a more extensive background check.