Blog

Retailers Face New PCI Challenges as Holiday Shopping Kicks off Earlier than Ever

The temperatures are falling, the leaves are falling, and soon the snow will be as well. About the only thing that isn’t falling as we stare down the beginning of the holiday shopping season are delivery times and the data volumes. According to a recent survey from Deloitte, it is estimated that 73 percent of shoppers expect to spend significantly more this holiday season than in previous years. To add some context, the average dollar amount spent in 2020 was around $920 USD; this year consumers are expecting to spend around $1460.

Additionally, retailers are starting to see consumer behavior shift. The average dollar amount spent in a physical store is typically around $440, whereas online the average dollar amount has more than doubled, rising to $924. While there has been a regular trend of more online shopping occurring each year, adding a pandemic to the mix has simply added gasoline to a wildfire. Now throw in the supply chain issues, and holiday shopping has started sooner than ever, some shopping as early as August.

Why do these numbers matter and what do they mean? Well, one could argue that the spending amount this year is up due to price and shipping inflations, as well as a few other factors. Those certainly factor into the overall equation. However, when you’re shopping online and not physically handing over a credit card or cash, there is a mental disconnect. When shopping online, consumers tend to spend more money much faster, often on things they would never have purchased in a physical store. Several studies back up this phenomenon.

Retailers and online service providers all understand this, and it is why most of them have chosen to give such a large focus to growing their online presence.

Which leaves us with the question: What does this all mean for PCI DSS compliance during the 2021 holiday season?

More Data = More Privacy Requirements

If consumers are shopping earlier, spending more, and potentially waiting even longer for items to show up—which may lead to even more spending—what do all of these things cause?

They all generate more data: more data for your ISP, more data for mobile carriers, more data for banks and other financial sectors, and certainly more data for retailers and all of the other online service providers that bring websites to your screen. Little do people realize but often before you even get to a retailer’s page, data about your ISP, IP, MAC, and even history such as previous web page are all shared with this retailer’s third parties. Some of those third parties include web application firewalls; merchants such as American Express, Visa, or MasterCard; and other analytic and business intelligence firms who have been employed by that retailer to help grow outreach and effectiveness at selling to their customers.

What does all this have to do with PCI? The act of going to all these websites and retailers to get the goods or services you want spreads your data across the ecosystem we all call the internet. Do you know who has your credit card data? Do they know they have your credit card data? What about all of your privacy data?

This is why over the past several years we’ve seen such a growth in the privacy space. Privacy regulations like GDPR, CCPA, CDPA, LGPD, and more have come out to help broaden the awareness that not every piece of important or private data is financial in nature. The rest of it is important as well.

Now if we think only of PCI DSS for a moment, merchants in every industry have collected a tremendous amount of data about their consumers, their households, and their web history. The merchant will label all or most of this information as financial information because of how they intend to use it. And, for the most part, the majority of vendors are trying their very best to keep things secured for your benefit and theirs.

The Gift of Data Security

As the holidays approach and consumers flock to their devices to start order their holiday goodies, these merchants will see a lot of returning customers, a lot of new customers, and a lot of data sharing from partners, online agencies, and other third parties. It’s not uncommon for these merchants to make upward of 80 percent of their total yearly revenue during this final quarter of the year. What tends to happen during these months then is that compliance teams, privacy teams, and security teams end up relegated to monitoring mode while production and making sure things stay online stays front and center. Once the holiday rush finishes and things start to normalize again, then compliance, privacy, and security teams need to dig the organization out of the hole they created in order to maximize holiday profits.

To continue protecting data to the best ability, organizations can start thinking about data like people. Ensure the organization is doing its very best to ensure the safety and security of the customers’ online experience as well as what happens behind the scenes after the transaction is complete. Try not to disengage with compliance and privacy teams this holiday season; they will very much appreciate the effort and be more supportive of the increased workload put onto the various online ecommerce teams. Making sure everyone has seat at the table, and ensuring controls and procedures don’t get forgotten will dramatically reduce the overhead that privacy, compliance, security, legal, and other IT teams have to spend after the holidays.

Uphold PCI DSS Compliance with Help from PKWARE

For the holiday shopping season or any season, protecting cardholder data for PCI DSS compliance starts with knowing where all your cardholder and other sensitive data is across the enterprise. PK Discovery, part of the PK Protect suite of data protection and security products, automatically digs deep toe find every place cardholder data is stored, whether that’s a file system, database, cloud repository, or even endpoint device.

Build compliance for storing and using the sensitive data you uncover. PK Encryption, another segment of the PK Protect suite, includes multiple options for precise data protection, while PK Masking automatically removes sensitive information from data while still preserving the value of the original data. Automated data redaction technology can also remove credit card numbers and other sensitive data from files and email while leaving other contents untouched.

Finally, PK Protect empowers businesses to uphold established validation policies regarding which users in what roles can access or process sensitive cardholder data, including supply chain, reseller, and third-party data processors.

Establish control of your cardholders’ data for this holiday shopping season and beyond. Request a personalized demo to see how PK Protect can safeguard your data and your business against breaches and other risks.