The busy holiday shopping season is upon us, and with each passing year, more and more consumers are choosing to do their holiday shopping online. In fact, a recent survey of over 1,900 consumers across the U.S. and U.K. found that 76 percent planned to shop online this holiday season. There is no doubt that cybercriminals will follow the trend, seeking ways to exploit the financial services and retail sectors with even more aggression during the shopping season.
The boom in electronic banking and shopping has brought a great deal of opportunity to cybercriminals. Nowadays when we think of banking, we don't think of the traditional brick and mortar business. Most of our banking is now done online. In the same vein, more and more consumers are shopping online, especially during the holiday shopping season. Additionally, consumers and businesses alike are relying on payment cards and POS systems as opposed to cash. Simply put, electronic banking and shopping are the top choice for businesses and consumers. And cybercriminals are eating it up, ready to pounce on holes in payment and electronic banking systems.
In response to the threats that financial services and retailers face, the PCI Security Standards Council recently announced changes to the Payment Card Industry Data Security Standard (PCI DSS) with the retirement of version 3.1 on October 31, 2016 – just in time for the holiday shopping season to begin. Prior to these standards, companies tended to focus simply on passing specific PCI DSS audits, maintaining an ad-hoc mentality with compliance, and letting security fall by the wayside in between audits. What happens in the meantime? Vulnerabilities could live on the network and remain unaddressed for months, if not longer, giving attackers a welcome mat into the system.
While the new PCI DSS regulations are a good starting point for protecting against cyberattacks, the financial organizations and retailers themselves are responsible for following the guidelines, creating a challenge for organizations who don't know where to begin to implement the new standards. With so much data at stake, combined with the uncertainty about what are the most efficient technologies for their unique business operations, it's more and more difficult to navigate the compliance jungle.
More organizations are beginning to recognize the need for network segmentation. While not a new concept, it's a good first step in ensuring your organization is compliant. The major benefit to network segmentation is that if – or more realistically, when – a breach happens, it's contained to a specified location on the network, thus limiting the ability of an attacker to move laterally across a compromised network. Not only is network segmentation a necessary part of security and compliance, but it also improves business availability as it reduces the amount of traffic on the general network. And as more holiday shoppers take to online shopping, there is sure to be an uptick in network traffic.
Financial services organizations, retailers and other industry sectors have no choice but to adhere to industry regulations, and with the new PCI DSS guidelines, it will be an even bigger challenge to keep up. The guidelines, however, can only be effective when an organization properly determines, validates and enforces them. Network segmentation is a crucial first step for organizations to boost their security posture and help ensure compliance. Read Tufin's full list of best practices for PCI compliance and make sure your organization – and your customers – are secure this holiday shopping season.
We want to hear from you. What else should financial services organizations and retailers consider when it comes to securing their networks during the busy shopping season?