Does The Payments Industry Finally Understand The Humble Ecommerce Provider?

Posted by Philip Bindley

A report published by HM Government in conjunction with IPsos MORI Social Research Institute and University of Portsmouth entitled “Cyber Security Breaches Survey 2016” made some important discoveries in terms of IT security. You may be interested to learn that 65% of businesses detected a cyber security breach or an attack in the past year. 25% experienced repeated attacks on a monthly basis and the most common attacks were viruses, spyware and malware equating to 68% of all breaches. Further analysis concluded that only 13% of small businesses set cyber security standards for their suppliers and only 22% of small businesses carried out security awareness training for their staff. Why is this important? This is because 32% of the common breaches come from impersonation of the organisation.

The office of National Statistics outlined that ecommerce sales in 2014 totalled £573bn verses £335bn in 2008. Different sources have reported that UK card spending has increased by £163bn with 3.7bn transactions being processed in 2016. As we know PCI DSS sets the gold standard in cyber security for cardholder data. PCI DSS forensic data recorded a worrying trend, that the majority of UK Breaches are small ecommerce businesses and all of the businesses breached, did not have an effective incident response plan.

With the constant threat of cyber attack and reported breaches coupled with the steady rise in ecommerce sales and UK card spending it is clear that the majority of organisations need to re-assess their business risks and revise their cyber security strategy.

Industry leaders within payment services have stated that the focus in 2017 will be supporting and simplifying the PCI DSS SAQ process for the small merchant. This is an important step for the evolution of the standard. I have written on a number of occasions how complex self assessments can be. Historically, there has been very little support or guidance available to the merchant. This typically leads to assumptions being made and the belief that they are complying to the standard. However, forensic investigations have proven this is often not the case. As consumers we have very little guarantees that the merchant who is holding our data is compliant, understands their responsibility and not just using the SAQ process as a tick box exercise and a fast track to compliance. With this renewed focus it will help the merchant cover the basis in terms of cyber security whilst providing them with the support and guidance they need.  So, what should the basics cover? A good start would be to look at the biggest risks within the payment industry and how we can counteract them. These threats are; 3rd party suppliers, patching, passwords, antivirus /spyware/malware, firewall protection, training and awareness.

The PCI DSS Security Standards Council are already taking the necessary steps in supporting the merchant by updating guidelines and adding new documentation to their library. The “Best Practices for Securing E-Commerce” first published in 2013 was updated to version 1.1 in January 2017 and in my view is an excellent document for any ecommerce provider as it outlines what actions you need to take as an ecommerce provider to make secure transactions from; IFRAMEs, URL redirects through to API and java scripts etc.  Another useful document added is the “Guidance for PCI DSS Scoping and Network Segmentation”. Published in December 2016, this is a must read for anyone attempting to scope out a PCI DSS environment. In this 25 page guide you will discover how to approach segmentation of the cardholder data environment and gain a good understanding of what is expected from you.

In summary, cyber security has become the top agenda point for most business leaders.  It is refreshing to hear that there is going to be more support for small businesses in terms of the payment card industry. However, from the HM government paper, the risk exposure to Personally Identifiable Information (PII)  for medium and large size businesses is quite significant as well. The message is quite clear throughout the industry, more needs to be done in terms of cyber protection.  Furthermore, our hands will be forced in May 2018 when GDPR becomes effective as any breach is likely to be under the scrutiny of the Data Protection Authority and may lead to large sanctions. Our risk assessments now need to take into account our suppliers and the standards we hold them to, how we are patching our systems and the frequency these patches are applied. The password management policy enforced in our organisation, reviewing our antivirus definitions, ensures they are consistently up to date and malware detection is in place. How are your employees trained so they know not to open or download suspicious zip files or executables?

If we understand our systems, the processes and policies in place and map these to our risks we can limit our exposure reducing the potential for cyber breaches.