A report issued just in time for Black Friday, Cyber Monday and the Holiday season, conducted by IntSights, estimates that organized retail crime is now costing retail organizations approximately 30 Billion dollars annually.

While these statistics do include storefront theft from retail stores, a very significant percentage of those losses are directly resulting from theft of credit card data, sparking the demand for increasing retail cybersecurity measures.

Two Primary Cyberattack Vectors

The cyberattacks present themselves in two major forms. The first is aimed at point-of-sale (POS) systems. Although theft incidents involving POS systems has declined from 2018’s figures, as a result of Payment Card Industry (PCI) compliance requirements and EMV chip technology, ram-scraper trojans that are developed to scan, grab and exfiltrate banking card data from point-of-sale systems remains a prevalent cybersecurity threat overall. Hackers continue to target POS systems due to the fact that a large percentage of them still do not use end-to-end encryption (P2PE).

Cybersecurity Definitions:

RAM-scraper Trojan/malware: A type of malicious software that is frequently used by hackers to target point-of-sale (POS) and payment terminals with the intent of obtaining credit card and debit card information, including the CVV code, by various man-in-the-middle attacks, which is the interception of the processing at the retail checkout point of sale system.

The next form of cyberattack of concern for retailers is known as carding operations. Carding operations, which involves the use of a stolen credit card to acquire prepaid credit cards. Those prepaid credit cards are then sold, usually at a discounted rate, over the “Dark Web”, resulting in goods and services being illegally acquired from e-commerce sites. According to IntSight’s report, this is the fastest growing retail cybersecurity threat.

See Also:

Retail Cybersecurity

The majority of retail organizations continue to struggle with cybersecurity concerns largely in part due to extremely thin profit margins across the sector which make it very difficult to find the budget required to establish a proper defense. A significant number of retailers simply cannot afford to invest in a cybersecurity team, considering the costs involved.

In the same light, retailers have never been more hard-hitting with respect to creating digital experiences for online customers that, inevitably, involve significant financial investments in IT. Retail organizations are also aware it is only a matter of time before they will be required to address the issue as part of the breach reporting initiatives set out by General Data Protection Rule (GDPR) and PIPEDA.

The IntSights report suggests retailers to focus on six primary control objectives:

  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Regularly monitor and test networks
  5. Implement strong access control measures
  6. Maintain an information security policy

Furthermore, retail organizations are warned to migrate their data to secure infrastructure and ensure POS systems are encrypted, review and maintain all compliance mandates, monitor and keep up with the latest threats and invest in regular penetration testing.

Many retail organizations would be wise to share their expertise amongst one another; however, because of the extremely competitive nature of the industry, this leaves many organizations reluctant to share information with their peers.

Summing Up

It’s become quite obvious to cybercriminals that retail is playing a percentage game when it comes to cybersecurity, hoping that the losses they expect to incur do not become large enough to eat into their bottom line, not to mention their brand image.

See Also:

For more information on how Packetlabs can help your organization develop and maintain a secure environment, assess the maturity of your organization’s security or learn more about retail cybersecurity, in general, please do not hesitate to contact us.