Guest Column | September 10, 2021

3 Ways To Improve PCI Compliance Now

By Rom Hendler, Trustifi

Regulatory compliance iStock-1256156511

Even as the country moves out of the pandemic, companies are realizing what great opportunists hackers can be. They wasted no time forging forward with cyber security breaches that continue to exploit the accelerated pace of e-commerce, which provided even more opportunities to target the security weaknesses of retail companies. Throughout 2020, more than 155.8 million individuals were affected by data exposures, meaning accidental revelation of sensitive information due to sub-par IT security. And according to Verizon’s 2020 Payment Breach Report, the retail sector is one of the least compliant industries when it comes to PCI regulations—which are designed to protect companies and their customers from such breaches.

The same report said that penalties from PCI violations can cost companies anywhere from $5,000 and $10,000 a month. Fines are often based on the number of months that an entity is non-compliant, so the longer a company waits to address PCI, the steeper the potential fees.

Despite all predictions, retail as an industry has survived the pandemic, and the buying public is regaining its confidence in shopping at brick-and-mortar stores again. However, studies show that shoppers are also demanding to maintain the same conveniences that were introduced during the shut-downs, such as curbside pick-up or “BOPIS” (buy online/pick up in store) and expanded inventories via e-commerce. This continued growth of retail marketplaces will only serve to create more challenges as companies struggle to maintain compliance with guidelines such as PCI and GDPR.

As with many industries, an organization’s email servers are a highly-targeted point of entry for malicious actors to infiltrate a network and effect a breach. Here are the top three strategies that can reduce vulnerabilities and improve compliance policies in retail/eTail IT environments now.

Safeguard Your System with Automated Compliance. Effective “One Click Compliance” tools allow system administrators to select from a list of global regulations like PCI, GDPR, CCPA for California, PDPO for Hong Kong, LGPD for Brazil, etc. Administrators can simply click through a list of guidelines and select the ones that pertain to their company’s business. Powerful AI-based filters and optical character recognition will then automatically encrypt any email that needs to be protected according to those chosen regulations—without any action required by the user. There’s no need to train staff on the details of compliance since the solution does all the work. Advanced technology also allows IT admins to set policy rules, for example, defining how long a time the sender can open the encrypted message, so it doesn’t remain on the recipient’s server indefinitely.

Deploy Easy-to-Use Email Encryption. Personal identifying data (PID) is still the most sought-after information by cyber criminals targeting the retail sector, including credit card data. Hackers are often able to infect an entire network with a single password compromise, with viruses lying in wait to harvest credit card data and other personal information. If an organization deploys email encryption within its ranks, it considerably lowers the risk of exposure.

However, encryption must be easy to use if organizations expect workers to adopt this technology. Cumbersome systems that force users to go through a multi-step process (like utilizing portals and extra passwords) just to open an email typically lead to high abandonment rates. Those critical encrypted messages are simply ignored. Streamlined solutions exist, however, that allows users to both send and open encrypted messages just as easily as any other piece of email.

Require Use of Multifactor Authentication. MFA requires the recipient to get a limited-time passcode from a registered device, which then becomes part of their log-in credentials. In this scenario, even if a malicious actor can obtain a password, they still can’t access the system. They won’t be able to retrieve the code, which is texted or emailed directly to the legitimate recipient.

Companies should of course pursue a comprehensive, multi-layered approach to security that includes data loss protection, threat protection, anti-phishing, and anti-malware capabilities. AES-256 encryption is crucial in sensitive environments such as retail and e-commerce, where credit card information is being exchanged via cyberspace all day, every day.

A bonus for retail companies:  Not only does quality cyber security and email encryption dramatically reduce the risk of a breach if a retailer is audited for PCI compliance, but the use of automated compliance tools can also serve as evidence that the end user has taken proactive steps to protect its data. This is a major criterion in determining penalties.

All told, IT decision makers in the retail sector have everything to gain by addressing a range of regulations through effective, automated, multi-layered cyber security.

About The Author

Rom Hendler is CEO and Co-Founder of Trustifi.