Security risks facing the retail industry

Veracode is calling for the need for stronger controls in preventing large scale data breaches as security risks facing the retail industry are mounting.

The appeal for hackers toward retail enterprises is the large amount of cardholder data, email addresses and Personally Identifiable Information (PII) retail databases contain.

The retail industry has gone through a dramatic transformation involving the technology used to complete a transaction, including Point of Sale (POS) terminals, barcode scanners on mobile devices, and customers now being more inclined to do their purchasing online, which has resulted in massive amounts of personal data being exchanged over these devices.

This change in customer purchasing behavior has served to raise the amount of new challenges that retail enterprises face when trying to secure their networks.

“The implications from accessing applications over unsecure networks can be catastrophic,” said Chris Wysopal, Co-Founder, CISO and CTO of Veracode. “Not only does sensitive data wind up in the hands of hackers who can use the information for identity theft, but data breaches can cost organizations upwards of $6.75 million, leading to numerous legal and regulatory problems, as well.”

Rather than focusing strictly on database security and data leak protection (DLP), retailers need to also pay attention to their application security controls. Many are unaware of the fact that it is the applications, not the server, that manage, update and view customer data. It’s much easier for an attacker to find a vulnerability in an application, as DLP controls can more easily be bypassed.

Research from Veracode shows that organizations spent an estimated $35 billion on security infrastructure in 2011, yet hundreds of data breaches were still reported. This was mostly because of the lack of security at the application layer.

Regardless of whether retailers are using internal or external developers to create applications for their customers, they need to be cognizant of the software supply chain and outline their security protocols for developers in advance, before security vulnerabilities are created.

Share this