One of my first customers in IT was a large retailer, with more than a thousand stores. This was at a time when e-commerce was just beginning, at least for large, traditional retailers. Giving their customers the ability to purchase on the web was still a year or two away.
This retailer made about 90 percent of its annual revenue between Thanksgiving and New Year’s Day. That was “Season”, and the entire year’s IT schedule was built around getting ready for Season. Any and all hardware upgrades, OS changes, and software updates were to be completed and locked in by mid October. Change control during Season was very simple: No changes unless something broken absolutely had to be fixed, you were able to make a 100% solid case for the change, and not doing the change would impact revenue. Otherwise, hold off until January.
Retail’s a lot more complex these days, and brick-and-mortar is only one of the revenue-generating retail channels. Still, Season remains Season. And it all begins with Black Friday. Estimates of 2015’s revenue for the first two days of Season, including Black Friday, top $4 billion in the U.S., with about a third of that coming from online sales. More than 150 million shoppers purchased online during the 2015 Thanksgiving holiday weekend.
Clearly, this is not a time to have security issues with your infrastructure, and especially so with your payment systems, whether online or POS systems in your stores.
The relevant compliance standard is PCI DSS (Payment Card Industry Data Security Standard). Version 3.1 takes effect on June 30, and includes a number of changes from the previous version (3.0). These include, with some exceptions, removal of SSL and early versions (1.0 and 1.1) of TLS, along with some additional clarifications of existing requirements, a number of which are common sense clarifications (For example, don’t send unencrypted account numbers in a text message. You think?).
Complying with PCI DSS is a good way to reduce your business’s risk of cyber attack, but it’s really only a waypoint toward better security, not an end in and of itself. That’s a point SonicWall Security’s Tim Brown, our CTO and a SonicWall Fellow, makes in an on-demand webcast highlighting the changes to PCI DSS in version 3.1, so that you can be best prepared for Black Friday. We offer SonicWall network security solutions to help you stay PCI compliant, and improve security well beyond the PCI basics. And staying in line with 3.1 will put you in better shape to have a more secure, successful Black Friday, Cyber Monday, and holiday Season. It will also prepare you for PCI DSS 3.2, which includes additional clarifications and new requirements, particularly around multifactor authentication for anyone having access to cardholder data. While 3.2 succeeds 3.1 as a standard for assessments as of this October, its new requirements will not be mandated until February 2018 until then, they’ll just be considered best practices.
Learn more about the changes in PCI DSS 3.1, and how they can help your business prepare for Black Friday. View Focusing on security to meet compliance: responding to changes in PCI DSS 3.1.