More Than 50% Of Biggest Holiday Retailers May Not Be PCI-Compliant

SecurityScorecard warns while the industry has made progress, many are still not covering the basics of security.

Steve Zurier, Contributing Writer, Dark Reading

December 22, 2016

3 Min Read

Retailers are having a solid 2016 holiday shopping season, and no major data breaches have been reported.

But not so fast: New research by SecurityScorecard indicates that retailers are not nearly out of the woods yet. Just because no serious breaches have been reported doesn’t mean that we all may not collectively wake up with a security hangover early next year.

A first-ever study of the 48 biggest holiday retailers from April 1 through Oct. 31, 2016, reports some unsettling data:

  • 100% of the biggest holiday retailers were found to have multiple issues with domain security.

  • Nearly 80% may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment.

  • All bottom-performing holiday retailers have a D or lower in Network Security, which suggests that their network may have an unaccounted access point ready to be exploited.

  • 62% of the biggest holiday retailers were using end-of-life products in the last month of the study.

  • 83% of the biggest holiday retailers had unpatched vulnerabilities in October 2016.

Sam Kassoumeh, co-founder and COO of SecurityScorecard, says patch management and replacing end-of-life products are the cornerstones of a sound security program and he’s very concerned that so many retailers are still not covering the basics.

“What happens is that companies do what they are mandated to do by PCI, for example, segmenting out credit card transaction data,” Kassoumeh explains. “But what I worry about as a consumer is if the hacker gets my billing address, purchasing transaction history or secret question, much of that information is used persistently on multiple sites.”

Kassoumeh says malicious threat actors can in turn use that PII data to sign on to another web site the victim is registered on and pretend they are that person, in effect taking over that account. Or, they can collect as much PII as possible and sell it on the dark Web or collect enough information to come back and blackmail the victim.

“The threat actors really have many options, we don’t ever really know how they are going to use the data,” he says.

SecurityScorecard runs a security ratings service that collects data available on the public Internet, identifies the specific organization the data belongs to, for example, companies where they find leaked credentials, exposed databases, or lack of firewalls, and then compare that company’s performance to the rest of the industry. They then assign a scored of A, B, C, D, or F.

Another disturbing finding from the report on the biggest holiday retailers was that the group spent more than three months during the study period with a C or lower rating in the following categories: network security, DNS health, IP reputation, and patching cadence.

Here’s a breakdown:

  • Network Security: 69% had multiple entry points for hackers.

  • DNS Health: 73% had misconfigured website domains.

  • IP Reputation: 43% were infected with malware.

  • Patching Cadence: 37% had unpatched vulnerabilities.

The SecurityScorecard report is available for download.


Related content:

About the Author(s)

Steve Zurier

Contributing Writer, Dark Reading

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights