The increasing adoption of digital technologies in the retail sector is radically transforming how business is done. It is creating a new digital era in which social media, omnichannel shopping and a wave of emerging payment technologies are transforming the sector worldwide.
In this fast-evolving landscape, trust and reputation in brands are more and more relevant. 77% of consumers believe that cybersecurity and data privacy is the 3rd most crucial factor when selecting a retailer, even outranking discounts. Retailers can no longer afford to ignore security issues. As they undertake initiatives to modernise their products and services, an even more careful approach to protecting customer data and guarding against data breaches will be required.
In this White Paper, HERMENEUT analyses in details recent cyber-attacks, such as TJX and TARGET data breaches, in order to draw lessons learnt and recommendations for the whole sector.

Key findings

The main recommendations encompass different aspects:

  1. Regulation and compliance, following regulations (such as GDPR and NIS) and industry standards like:
    1. the Payment Card Industry Security Council’s Data Security Standard (PCI DSS);
    2. the Object Management Group (OMG) cybersecurity standard;
    3. the National Federation of Retail Newsagents (NFRN) factsheet about credit card fraud prevention.
  2. Easing the systemic methodological approach to cyber-security:
    1. conduct and regularly update enterprise-wide risk assessment (e.g. by following the HERMENEUT methodology) when significant changes have happened in the cyber threat landscape, in the organisation procedures or technologies, or in the current legislation;
    2. consider organisational and human factors in ensuring cyber-security of retail organisations, e.g., awareness raising, education and training for retail personnel;
    3. build cyber-security culture; Improve usability of the different cyber-security tools, etc.
  3. Continuously updating mitigation measures:
    1. adopt innovative technologies (like EMV chip card transactions) to improve security against fraud, compared to magnetic stripe card transactions;
    2. encrypt cardholder data by considering a POS solution with end-to-end asymmetric encryption, starting at the PIN pad reader.