The holiday season is prime time for the use of credit card skimmers in retail environments. This time of year, the number of transactions increases and the ability of the average retailer to respond to threats is limited due to the amount of activity. Furthermore, most companies are in a change freeze between Thanksgiving and Christmas, slowing the rollout of new or modified security controls.
According to the 2016 American Express Digital Payments Security Survey, 60 percent of merchants surveyed reported experiencing fraudulent online sales and a quarter say their level of online fraud has increased this year.
As a result, nearly half of merchants (49 percent) project their investments related to payment data security will increase over the next year.
The survey found 78 percent of online shoppers want visible security cutes but only 52 percent of merchants report using data encryption on their website.
"Our survey also showed that consumers are willing to take specific steps to protect their information when shopping online," Mike Matan, vice president for American Express’ Global Network Business, said. "Based on their feedback, we recommend that merchants incorporate visible security cues on their websites and make it easy for customers to contact them."
He explained taking these steps may enable merchants to lower their fraud costs and build trust with their customers, and ultimately convert more people who visit their sites into purchasers.
With sales expected to expand almost 10 percent to $3.4 billion on Cyber Monday this year, merchants have the potential to capture even more sales by providing a safe online experience as 42 percent of shoppers say that they have abandoned an online purchase due to payment security concerns.
"Many businesses are struggling to balance the need to leverage customer data across their organization and the need to protect that customer data from both internal and external threats," Andrew Howard, Kudelski Security’s chief technology officer, said.
He explained that in today’s information-driven market, data is power and many businesses succeed or fail based on their ability to leverage it in decision-making.
This requires companies to collect large amounts of data on their customers and share that data across many different IT systems for analysis.
"Many businesses lack the means or technical sophistication necessary to properly protect those systems, and every additional system with access to customer data increases the complexity of the protection problem," Howard said.
To make matters more complicated, many businesses struggle to even identify where they store customer data because it sits in so many different places within their network.
"In an ideal world, customer data would be stored and processed on an isolated system that is not connected to the Internet or other systems—but this just isn’t reality," Howard said.
In today’s connected world, customer data is transferred between many different systems, both inside and outside the corporate network, to identify trends and draw conclusions that drive revenue.
Building an IT system that properly protects customer data while supporting today’s business needs is complex.
"The largest threat to customer data security is negligence by those tasked to protect it," Howard said. "While there are growing threats from different sources such as insiders and nation states, the reality is that many of these threat actors leverage simple mistakes—like the use of a default credentials—or failure to take basic security precautions to gain access to customer data."
In addition, more advanced attackers and attack scenarios occur despite well-protected systems, but these advanced attacks are not the norm and advanced defenses are not typically required.
"The awareness of data security concerns by the average consumer is increasing every day, thanks in large part to the almost daily occurrence of a major breach," Howard said. "Consumers are learning to share less data, and also demanding better security where they do business."
He explained many companies are starting to see security as a competitive advantage in crowded markets.
"Frankly, any protections around customer data should be rolled out in preparation for the holiday season, not during," Howard said. "I’d say at least several months in advance. Once the holiday season arrives, it is time for renewed vigilance on basic cybersecurity hygiene across the company, especially regarding employee access and sensitive system monitoring."
He noted other concerns during the holiday season are an increase in temporary workers—who should have very limited access to customer information—more distractions, and lots of activity across the enterprise, all of which puts customer data at greater risk.