Skip to content ↓ | Skip to navigation ↓

Tripwire has announced the results of research on risk-based security management in the retail industry conducted in April 2013 with the Ponemon Institute regarding changes to the PCI security standards.

The most recent version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) will soon require businesses to implement and perform penetration testing.

PCI DSS 3.0 will also clarify different methods of secure authentication and session management so businesses can better protect themselves against man-in-the-middle, man-in-the-browser and other similar cyber attack methods.

“When you think of companies that need to invest in protecting PII,  the retail industry is second only to the financial industry. However, these two industries behave quite differently to the challenge,” said Rekha Shenoy, Tripwire’s Vice President of Marketing and Corporate Development.

“Financials are typically technically advanced and mature (okay, sometimes to a point of dysfunction, but they try) while retail is typically cost sensitive and margin conscious as they need to be. The retail industry clearly cares about the changes in the new standard, but unfortunately not enough is being done to protect your (and my) card holder information,” Shenoy continued.

The survey evaluated the attitudes of 1,320 respondents from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management, with 162 retail sector respondents from the U.S. and U.K. participated in the retail portion of the survey.

The study revealed that the retail industry hasn’t yet implemented these new security requirements. Key findings include:

  • Only 41 percent of the retail sector uses penetration testing to identify security risks.
  • Only 34 percent of the retail sector measures the reduction in access and authentication violations to assess risk management efforts.
  • Only 44 percent of the retail sector has fully or partially deployed file integrity monitoring.
  • 62 percent of IT professionals in the retail sector say that negative facts about security risks are filtered before being communicated with senior executives.

“The last finding is particularly interesting. In many of the largest banks, cyber security is a topic discussed in the board room. The business unit heads often understand, measure and hold people accountable for mitigating business risk and IT security risk is no different,” Shenoy said.

“I met with the CISO of one of the major retail chains a few weeks ago. When we talked about this, she said her manager (who was not technical, but was on the business side) didn’t need any reports or accountability from her. He wasn’t even looking for information on their IT infrastructure risk. And a lot of us shop there online.”

For more information about this survey, please visit:

Additional Resources: