Security Experts:

Connect with us

Hi, what are you looking for?



What You Need to Know About PCI DSS Compliance this Holiday Season

Protecting Santa’s Workshop…and Payment Card Data

Protecting Santa’s Workshop…and Payment Card Data

In addition to facing a sophisticated and rapidly evolving cybersecurity landscape, enterprises must also adhere to legal regulations around data storage and security. Failure to comply with measures like the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) leaves both companies and, more importantly, their customers at risk. With the busy holiday shopping season in full swing, and retailers experiencing dramatically higher transaction volumes, protecting customer information and payment data cannot be an afterthought. 

What’s the deal with PCI DSS?

All major credit card companies – Visa, MasterCard, American Express, Discover and JCB – abide by a set of security standards to ensure protection of sensitive customer information, such as credit card numbers, during transactions. Any business that wants to conduct even a single retail transaction using credit cards must comply with PCI DSS or it will be unable to accept payments by credit card. If a company is just starting to accept credit card transactions – perhaps as an online retailer or a smaller business – then the first thing to understand is how payments are being processed and what data is being collected and stored. Once the type of data being collected is understood, then it is easier to identify what information is needed and what is not. This is a critical first step to understanding which requirements apply to a specific company. 

As with many other compliance regulations, PCI DSS places the responsibility for compliance on the business conducting the transactions; meaning the retailer is responsible for both the compliance of its third-party payment service providers and internally-hosted systems. 

Being PCI DSS compliant means that you are ensuring the safety of your customers’ valuable data, keeping it out of the hands of bad guys who would want to resell it or make fraudulent transactions. For companies struggling to ensure they meet the right level of compliance, start by reviewing the information available through the PCI Security Standards Council and kicking things off with the PCI 3-Step Process.

‘Tis the season

The holiday season is a busy time of year, but not just for shoppers and retailers – it’s also a prime time for hackers and cybercriminals to take advantage of unsuspecting victims. There are many different risks companies and customers may encounter, including fraudulent credit card transactions. Although chip technologies, PIN transactions and card-verification for online transactions are helping to curb fraudulent transactions, cybercriminals continue to devise new ways to score big during the holidays.  

A second risk – and this is as much to a retail brand as it is to the customer – concerns fraudulent websites and advertisements. A successful tactic for criminals is to buy a soundalike domain name and use that to set up a fake web-store for a high-end and popular brand. Typically, these scams rely on people mistyping the name of a site to be found, but recently it’s not unusual to see cybercriminals creating fake social media accounts to advertise a sale or send phishing emails advertising huge deals. These tactics pose a substantial risk to retailers. Even though these scams are propagated by cybercriminals, victims who believe they have executed a valid purchase often blame the real retailer for the deceit. This year, the Federal Bureau of Investigation even issued a warning about these scams ahead of Black Friday and Cyber Monday. 

Stay vigilant 

Online and in-store transaction volumes experience a huge boost this time of year, so as early as possible, make sure that all your systems are up-to-date and running smoothly to reduce the risk of any outage, as well as potential damage from a breach. The sheer volume of online transactions will make it easier for cybercriminals to hide code inside a vulnerability or try a few quick password brute-force attacks while everyone is preoccupied with their shopping lists.

While no plan is never 100 percent foolproof, retailers need to start by covering these bases:

• Be PCI DSS compliant. Keeping systems secure and compliant with PCI DSS signals to customers that they can be confident all sensitive payment card information is protected and out of reach from malicious actors hoping to rack up fraudulent transactions using the funds of unsuspecting shoppers.

 Patch all systems with the latest available releases of software, malware signatures, policies and IPS/IDS updates.

• Activate multi-factor authentication and make sure it is working correctly for all systems, especially those that give access to any cardholder data. This is a requirement in PCI DSS, but the holiday period is a great chance for checking it once, then checking it twice.

• Have a team available during the holiday period to monitor and audit security logs on, at a minimum, a daily basis. We know that it takes around 200 days for many breaches to be detected; instating a higher amount of review during this critical time can significantly reduce detection and remediation time. 

Failure to implement these basic cybersecurity hygiene practices will leave retailers vulnerable to damage and fines during a lucrative time for their businesses – and a celebratory time for their customers.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...