BankThink

Security assessments need an upgrade for e-commerce dominance

It’s been a roller-coaster year globally. But one sector that’s adapted to roll with the punches better than most is retail. Yet the dramatic pivot to online shopping has elevated the cyber-related risks for these businesses and their merchant service providers.

As risk profiles continue to evolve, the point-in-time snapshot of a PCI security assessment questionnaire (SAQ) is looking increasingly outdated. Instead, MSPs need something more akin to continuous, real-time monitoring of merchant risk.

COVID-19 has provided a once-in-a-generation boost to e-commerce. Local lockdowns and social distancing forced many to try shopping online for the first time, and others to double down on e-tail. The result? Total online sales for the U.K. for example grew by nearly 37% last year, the biggest jump since 2007. U.S. e-commerce grew a staggering 44.% in 2020 with consumers spending $860 billion online last year.

What’s more, it’s unlikely things will go back to pre-pandemic norms. Online sales in the U.K. reached nearly 34% of total retail during the first peak of the crisis in May 2020, but dropped back only to 28% by September when non-essential high street stores had begun trading again. In the U.Ss, things are even more pronounced, with claims that e-commerce penetration accelerated by a decade in just 90 days at the start of the pandemic.

This changes much from a risk perspective. On the one hand, many smaller merchants have started trading online for the first time, using technology which they have limited knowledge about or resources to perform due diligence on. On the other hand, there are the larger merchants who are supporting many more online customers today, but may be doing so with legacy systems riddled with vulnerabilities. As transaction volumes increase, these organizations become a bigger target for cyber-criminals.

In this context, MSPs must make it their business to understand how risk is shifting across their merchant portfolios and then take action to mitigate it effectively. Actionable insight from payment security risk assessments has become the indispensable first step in this process.

The old ways of doing things, PCI DSS SAQs, capture the self-declared compliance status of a merchant at a certain point in time. This information may be up to 12 months old by now and, as we all know, it’s been a year of profound volatility and disruption and risk is difficult to assess.

Instead, MSPs need dynamic cybersecurity assessment tools to identify the key areas of risk in their portfolio in near real-time, focus scarce resources where they can make a difference, and then take practical steps to mitigate that risk.

For reprint and licensing requests for this article, click here.
Risk Payment fraud E-Commerce Merchant
MORE FROM AMERICAN BANKER