Skip to main content

Retail Industry Information Security Trends | Optiv

October 02, 2012

Q&A with David Fosdick, director of Strategic Services-East Region, FishNet Security

Question 1:  What security trends or changes, if any, are you seeing in the retail industry?

As it has been the last several years, security in retail is primarily driven by the need to be PCI compliant. Secondary security drivers are privacy programs – making sure to protect customer PII (personally identifiable information), and ensuring compliance with state and federal privacy laws. Yet PCI compliance remains No. 1. All these regulations require retailers to protect all customer-identifiable information, in addition to credit card numbers.

Question 2:  What are the top-of-mind concerns of customers?

One of top questions asked by retailers is, “How do we attract new customers and retain our existing customers?” In many cases the answer to this question involves the adoption of a new technology to expand the exposure of merchandise to prospects and to increase the convenience for these prospects to shop. Generally this is done to improve the consumer experience. Any of these new technologies, when adopted, affects the security postures of retailers. In-store web browsing, mobile payments and cloud-based services are a few technologies that can affect security.

There were days when retailers didn’t put wireless networks in stores – it was considered too big a security risk for the retailer. Now many stores make guest wireless networks available so customers can use their handheld devices to get more information about the products on the shelves. These networks are open and not secured by wireless encryption, making them accessible to everyone. That’s where there’s a security risk, since not everyone has good intentions. So, FishNet Security works with retailers on network segmentation, making sure they have the proper firewalls between the guest networks and their point-of-sale and other networks, and that they have made provisions for wireless intrusion detection.

Also top of mind for retailers is, “How do I reduce my compliance burden?” They can spend a lot of time and money with third parties to get validated and on implementing all of the controls, so retailers are always searching for ways to reduce that cost. There are new technologies being released that remove some of the cardholder data environment from scope, so merchants are adopting those technologies to reduce their compliance burdens. Tokenization and point-to-point encryption are two examples of these technologies.

Question 3:  What are some solutions that are used by clients to address security issues in the retail industry?

There is no single solution that addresses every retail industry security concern.  To maximize the protection of customer data and improve compliance, I would recommend starting with a strategic plan that includes PCI Compliance validation assessments, review of their software development lifecycle, training, application penetration testing, and breach remediation strategies.

Question 4:  What advice are you providing to clients to address their concerns?

We start by asking them what they’re primary business problems are. A lot of my interactions are with smaller merchants that are growing larger. They want to know how to reduce the scope of their cardholder processing to decrease their compliance burden, so the discussions are typically on scope reduction through business process change or the adoption of a new technology.

Question 5:  What might retail clients be overlooking in their industry in terms of information security?

Most of them know what they need, but there might be cases where they are overlooking other areas of vulnerability. The PCI Data Security Standard only focuses on credit card data, so following the PCI DSS as your only security mandate might cause a business to overlook other important business information and not protect it properly. For instance, a company might have their credit card system locked down but may not be sufficiently protecting the systems that contain their intellectual property.

Question 6:  Is your team doing anything different now than they were doing last year to address security concerns in this area?

There are ongoing changes within the PCI compliance space. The PCI Security Standards Council is working on updating the standards and has released some new training programs and created new roles in how assessments are performed. We are staying engaged with the PCI Security Standards Council and special interest groups that are forging these new requirements. If a new program is business appropriate for FishNet Security, we participate so we are able to provide additional value to our customers.

Related Blogs

October 22, 2014

Are You Vulnerable to Memory Scraping? (And What to Do About It)

The Target breach that first made news in late 2013 was facilitated using “memory scraping malware” called “BlackPOS” or “TrackR” running on the Point...

See Details

August 13, 2014

Why Wait for a Security Breach?

Headline-making security breaches have hardly faded away since the beginning of the year. Looking back on statements Neiman Marcus made to journalist ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


July 14, 2017

Endpoint Security Solutions

Learn how we help you identify your endpoint security gaps and find the right solutions.

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.