ETA Expert Insights: Retail Security: Training Your Stakeholders

By Jennifer Gonzales, Dejavoo Systems; Member, ETA Retail Technology Committee

Welcome to a new series from the ETA Retail Technology Committee. We focus on retail technology and security, especially for small business owners and ETA member companies that support this incredibly powerful retail audience. You can read the first article in this series on why security matters for small businesses here. This article deals with the basics of helping your merchant customers train their employees and stakeholders. We encourage you to share this piece with your merchant base.

Retailers play a critical role in keeping the commercial ecosystem safe. As we discussed in the first part of this series, the costs of retail data breaches are high for everyone, especially small merchants. If you are a merchant, there are many tools and systems to keep your data safe, but they rely on good security habits among your employees and stakeholders. This article explains the basic requirements of data security for retailers, sets out the basic principles for protecting customer data, and recommends best practices for training retail employees and managers.

Businesses that accept credit and debit card payments are accountable to a set of industry standards set forth by the Payment Card Industry Security Standards Council (PCI SCC). The primary standard governing data security is the PCI Data Security Standard (PCI DSS), which is designed to ensure that all entities that accept, process, store, or transmit credit card information maintain a secure environment. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. And, while it may seem complicated, it’s designed to be a resource for you to help ensure you’re securing your data and protecting that of your customers. You can read more about the specifics of PCI DSS on the PCI website (including an overview here).

One of the primary goals of this standard is to protect cardholder data – the credit card number, cardholder name, expiration date, CVV, and authentication data. Some of this data can be stored and used prior to the authorization of a transaction, but not after it. Authentication must never be stored by the merchant. Generally, the less cardholder data you store in your own systems, the less vulnerable you are to data breach and the easier it is to comply with PCI DSS. Here are the main ways you can reduce the scope of your data environment that is subject to PCI compliance:

The main mechanisms for reducing scope are:

• Do not store card details. If you do not need the card number for anything, get rid of it once the transaction is complete. Only keep enough information for settlements and chargebacks if needed.
• Truncate. If you must store the card number, only store the first 6 and last 4 digits of the card number.
• Tokenize. Use an internal or third-party tokenization service which takes a credit card and replaces it with a non-identifiable token (a random string that cannot be tied back to the original card number) to use in payment transactions. If the token is intercepted, the interceptor will not be able to figure out the card number from it.
• Segment networks. Any servers or other devices that accept, store, and process card details should be segmented off from the main network so that there is limited interaction between the cardholder environment (CDE) and the rest of the network.

The first principle you want to establish for everyone in your organization is: do not store sensitive cardholder data if you can help it.

Next, you will want to survey your organization and make sure you’ve captured every possible data security risk. You may want to think about your organizational goals as well as your day-to-day operations and consider the risks of each. You will want to identify all the stakeholders in your organizations – employees, vendors, contractors, clients – and what level of data access they need. Ideally, each position in your organization should have clearly defined data access permissions. Most general security awareness training programs will address most or all the following questions:

• What is the impact of unauthorized access to or use of your organization’s data?
• What are the security requirements concerning cardholder data in different payment environments, such as card-present, card-not-present, phone, mail, or online/eCommerce environments?
• Who should employees ask for further information on protecting cardholder data? Are they within your organization (upper management) or outside it (merchant acquirer, ISO, IT vendor, etc.)?
• Why is it important to use strong passwords and password controls?
• What is the best way to secure day-to-day activities, such as emailing, web browsing, working remotely, social media usage, and mobile device usage?
• How can stakeholders in your organization report a potential security incident?
• What are social engineering attacks and how can stakeholders protect against them? Examples of social engineering attacks include: phishing, spear phishing, email address spoofing, and physical espionage (shoulder surfing, dumpster diving, etc.)
• What information can you communicate to your customers about your security practices? For example, if they see something suspicious with the card reader terminal, customers should say something to staff and not insert their card.

Once you have created or purchased training materials that cover these questions, identify any additional training that people in specific roles will require. Your marketing department, for instance, will have different data needs from your finance department and will use cardholder data in a different way. These trainings should be supplemental to the training outlined above.

Additionally, you may want to think about creating different categories of training – a comprehensive training program for new employees and stakeholders, an annual review of that training program (that includes updates and changes to compliance requirements), and ongoing training that allows your stakeholders to practice effective security habits in a safe environment (for instance, phishing email exercises). Be sure to revisit the training materials frequently to make sure you are adequately addressing new or changing threats and complying with the latest version of all relevant security standards.

Your training needs will vary depending on the complexity and scale of your organization. But at a minimum, your security training program should reflect your organization’s expectations for a culture of strong security practices. And the principles outlined in your training program should be reflected in your organizational practices and operations. Do you know if your employees feel comfortable reporting a security incident? Does your executive leadership practice good security habits? Is your security training program integrated with or at least reflected in your organizational goals and mission? Does it tie in with other stakeholder trainings, such as confidentiality and ethics training? We are all part of the payments ecosystem, and we all bear responsibility for protecting cardholder data. The more your stakeholders buy into your security culture, the stronger and more secure your organization will be.

Recommended resources for further reading:

• PCI Best Practices for Implementing a Security Awareness Program (October 2014)
• PCI Best Practices for Maintaining PCI DSS Compliance (January 2019)
• Getting Started with PCI Data Security Standard (October 2010)
• SANS Information Security Training, Certification and Research
• NIST Cybersecurity Framework
• ISACA Training and Education
• Center for Internet Security
• PCI Security Standards Council website