With more than 330 retailers, 1,500 ecommerce sites and billions in gross merchandise value passing through the Demandware platform in 2015, we understand better than most that the security threat to retailers is ever present and ever changing.
At times, staying ahead of hackers can seem like playing Whack-a-Mole; as soon as you mitigate one security risk, another pops up.
The good news is that retailers have started to fortify their point-of-sale environments. The introduction of chip-and-signature based EMV cards, despite a somewhat inauspicious launch, can definitely help once they are complete and fully implemented and many retailers have also updated their overall store networks and systems. The bad news is that crooks are coming in, often undetected, through the back door, and they are increasingly infiltrating online shopping sites. And it is no longer only your credit card data in the crosshairs, but all your personal information. In fact, your mother’s maiden name, birth date, or even your elementary school teacher’s name, is often much more valuable than your credit card numbers.
To address specific threats to the ecommerce environment, Demandware is leveraging its commerce expertise to collaborate with the Retail Cyber Information Sharing Center (R-CISC), where we are a premier member, and the National Cybersecurity Center of Excellence (NCCoE) on developing new best practices for retailers.
Specifically, we are looking at:
- Strong authentication for ecommerce transactions; we all understand that simple password authentication is not nearly enough to prevent fraud. At the same time, though, complicated multi-factor authentication schemes will invariably lead to more abandoned carts. How can retailers balance these priorities? This project will focus on developing best practices on making a risk-informed approach to increasing authentication when needed.
- Protecting personal information beyond cardholder data; while cardholder data is most easy to monetize, personally identifiable information (PII) can be much more valuable – PII is typically sold for $20 each vs. $1 for a single credit card number – and infinitely harder to replace (e.g. birthdate or mother’s maiden name). Protecting this information appropriately is not only imperative in geographies with strong privacy regulations, but is also increasingly necessary to maintain the trust of consumers.
Demandware has participated in planning sessions to define and finalize best practice scenarios. In collaboration with our partners, we have supported the development of a project description (white paper) for each topic, describing the scope of these important research projects. These descriptions are the initial drafts, and we would really like to hear how these initial thoughts resonate within the larger retail community. The NCCoE just published the documents this morning, opening up a 30-day comment period (closing June 3) to fine-tune and improve the content of these project descriptions.
In a next step, we will continue our collaboration and assist in developing best practices for realizing the requirements identified in the papers. This process will take some time to get right, and we will again engage with the retail security community to get this right. Ultimately, retailers can expect Demandware to adopt these best practices and make them available on our platform. Stay tuned for updates!