Emerging Threats and Going Beyond Compliance

Kennet Westby, President and COO

I recently presented to a C-level gathering of retail finance executives about the industry’s changing threat landscape and the emerging threats facing omni-channel sellers.

The retail security environment has changed dramatically in the past few years. Not that long ago, retailers mostly worried about protecting payment card information and staying PCI compliant. Data breaches weren’t perceived as a material threat by companies; the primary worry was PCI fines and penalties. Consumer concern was approximately zero.

Obviously, all this has changed. The merchants Coalfire speaks to now are – smartly – asking the same two questions: First, are we already compromised? Second, are we doing everything we can to keep from being compromised?

The focus of my NRF session was emerging risks, broadly outlined in five categories:

  1. Outsourced services – Every retailer has its version of “an HVAC contractor.” In industries like healthcare, third-party organizations account for over 40 percent of all breaches. And there’s no silver bullet for managing vendors across the regulatory compliance ecosystem, with vastly different industry requirements (PCI, HIPAA, GLBA, etc.) that cause confusion.

  2. Social media – As a single communications platform that offers compliance, legal, reputational and operational risks, social media can either cause or amplify a breach.

  3. Cloud computing – Virtual environments reduce costs and improve operating efficiencies, but information security officers now have to draw a much bigger circle around “their” systems. If they do that well, security can actually be enhanced, as Coalfire CEO Rick Dakin recently described in a separate post.

  4. Mobile – Mobile security standards are immature. We’re facing modern threats with “Windows 95”-level controls. The risks are compounded when mobile devices become aggregating points for sensitive data.

  5. Cryptocurrencies – Bitcoin and its imitators offer new risks and security challenges, including the very real threat of theft for improperly managed holdings.

Achieving a baseline level of PCI compliance isn’t enough to full address any of those challenges. Hackers are creative, persistent and amply rewarded for their successes. Retailers who are serious about protecting their customers need a true risk management strategy that identifies and protects critical assets, independently tests those protections, and continuously monitors for new threats.
There’s no fully technological solution to address these needs. EMV, P2PE and other technologies can harden systems, but controls will still be needed throughout the system.

When placing new technology into the system, don’t trust anything. Be prepared to manage and verify everything that is promised to you. Take a whitelist approach and consider third-party solution security validation.

Coalfire is the PA-QSA for many of the leading POS applications, and we're the QSA-of-record for over 200 leading multi-channel merchants. If you’re looking for a trusted, independent partner, contact us today.

# # #

Kennet Westby


Kennet Westby — President and COO

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS