How Stores Can Defend Against Cyber Threats

Cover: How Stores Can Defend Against Cyber Threats

When you think of a cyberattack on a retailer, your mind probably quickly concocts a situation where a hacker breaks into a website and takes it offline. That's a common scenario, but it's crucial to also be mindful of cybersecurity threats that could strike your brick-and-mortar shop.

Here are six strategies to try:

1. Always Keep Payment Encryption Activated

According to a 2019 report from Verizon, 64 percent of retail breaches involved payments. One of the positive things is that today's retailers have a range of high-tech payment solutions with integrated encryption. Then, even if hackers gain access to information, they still can't necessarily benefit from it.

Surprisingly, even when retailers have payment platforms with encryption, they don't always use that feature. When Forever 21 got hacked in 2017 and the vulnerability persisted for several months, investigators determined the brand did not always have the encryption technology activated on its point-of-service (POS) terminals.

At most of the affected stores, only one or a few of the terminals had deactivated encryption. This case study is a reminder that you need to check POS systems regularly, such as every week, to ensure encryption and all other features function as expected.

2. Don't Allow Shared Logins

During the busiest periods at a brick-and-mortar store, some people might share their logins with colleagues, especially if doing so helps things get done more efficiently.

However, when people don't protect this information, the store's entire infrastructure is compromised. If a login is leaked due to insufficient protection, hackers could easily see customer data, sales numbers and more.

Using a password manager could be a practical way to discourage using shared logins. It allows authorized people to access platforms almost seamlessly without putting cybersecurity at risk.

3. Watch Out for Social Engineering

Social engineering is a broad tactic that cybercriminals primarily use to urge people to comply with requests. Hackers who target physical stores might tap into a person's desire to help.

For example, someone dressed as a service technician might follow a worker to the back entrance of a retail store, watch as they type in an access code and say "Hey, could you hold the door for me, please? I'm here to look at your air-conditioning system."

That tactic could give the person access to physical computers, making it easy for them to wreak havoc. A hacker could also intentionally drop a USB drive infected with malware in a store parking lot. If a worker picks it up and plugs it into a computer to see what it contains or try to determine who owns it, that could be all that's necessary to infiltrate a system.

Social engineering can also happen if a hacker poses as an authorized person, such as an accounting or IT representative, and asks for sensitive information. Since the recipient thinks the request comes from someone they know, they'll likely give the information quickly without having second thoughts.

Employee training should cover these kinds of social engineering attacks. Analysts say they're becoming more common in the retail sector.

4. Make Security a Priority When Choosing an Enterprise Retail Planning (ERP) System

An enterprise retail planning (ERP) system allows for the integrated management of numerous business processes. Retailers often use them to enhance their understanding of day-to-day operations.

Since it's possible to link several company tools together and have them talk to each other via the ERP, this kind of technology can cut down on repetitive practices in a retail store.

When retailers choose an ERP, they should prioritize finding a secure system, regardless of if they select an on-premise, web or cloud-based option. A poll of CEOs found that they ranked cyber threats as their second-leading concern. As you communicate with the ERP providers on your shortlist, ask them which characteristics make their technology especially secure.

5. Ensure You Follow the Payment Card Industry Data Security Standard (PCI DSS)

Keeping encryption turned on for your POS system as recommended in the first point is a good step, but not enough. SecurityScorecard published research in 2018 that looked at retailers with digital presences. It showed more than 90 percent of them did not comply with the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS almost certainly applies to your brick-and-mortar store because you take details from credit or debit cards when handling transactions. Compliance alone does not remove the risk of breaches, but it could substantially reduce the negative effects they cause.

One of the most straightforward things you can do to protect payment data is to work with a third-party payment processing company that stores the information on its servers. Then, if hackers infiltrate your brick-and-mortar store, they won't find that information.

Also, keeping sensitive payment data in an isolated environment and implementing strict access controls for that location makes it easier for retailers to identify unauthorized access attempts. As such, those steps are other precautions that improve PCI DSS compliance.

6. Enable Two-Factor Authentication (2FA) for Online Perks You Offer to In-Store Customers

A growing number of retailers who operate both online and brick-and-mortar stores offer the option for people to buy things online and pick them up in local stores. This practice saves on shipping costs and often means consumers can receive their items in a matter of hours.

When people shop with most online retailers and want products sent somewhere else than their usual shipping addresses, the system often prompts them to re-enter their credit card details for security. However, the process for purchasing online and picking up the item in a store is typically not as secure.

Data from ACI Worldwide showed a 13 percent increase during the 2018 holiday season of fraud involving a person making a card-not-present transaction with stolen credit card details when shopping online, then going to pick up the item in a store.

This kind of fraud represents a cybersecurity risk because it gives hackers a larger reach if they unlawfully get the details of your customers.

For example, if your brick-and-mortar store has a pharmacy department that a person uses to fill prescriptions, hackers could learn information about that person's health conditions. They could even make changes that make it difficult for the rightful account owner to refill their medications.

Such an issue is likely to cause significant reputational damage as you try to fix the problem, too. Days can sometimes pass before a person realizes someone got their credit card details, and that means hackers have plenty of time to make purchases.

However, setting up 2FA adds another element of security by requiring a person to enter a temporary code before picking a store to visit when retrieving an online purchase.

Brick-and-Mortar Cybersecurity Is a Necessity

The various examples mentioned here show that hackers have no shortage of ways to compromise your physical retail store.

However, being aware of the risks and taking purposeful steps to manage them can help your store, employees and customers stay safeguarded from attacks.

About the writer: Kayla Matthews is a technology journalist and retail tech writer covering big data, AI and real-time monitoring in the retail industry. To read more posts from Kayla, visit her blog, Productivity Bytes. Follower her on Twitter @KaylaEMatthews.

Join the #retail, #SmartStore & #ConnectedJourney conversations on Twitter @RetailNext, as well as at

About the author:

Headshot: Anonymous

Kayla Matthews

Share this page on

Interested in learning more?