Retailers

Tangible’s services are centered around ethical hacking to protect the interests of retailers from actual threats, provide the realistic perspective of actual penetrations, and prioritize security needs in a way that helps avoid unnecessary and costly investments based only on theoretical possibilities. We can help discover and fix exploitable vulnerabilities BEFORE hackers do.

 
A breach of credit card data or other sensitive customer information can harm a retailer’s hard-earned reputation, undermine customer trust, and jeopardize revenues. Such a breach can cost a retailer millions per incident. In response, the Payment Card Industry (PCI) has adopted a Data Security Standard (PCI DSS), which prescribes numerous implementations and practices. This includes mandated annual penetration tests and remediation of their findings.
Achieving PCI compliance and managing risks can be complex and overwhelming, leaving retailers concerned both about where to spend their money and how to stay protected. Retailers are smart to worry. Perfect PCI compliance does NOT equate to perfect cyber security.
In many cases, compliance has created a checklist mentality that tends to take precedence over identification of real problems. Additionally, it is difficult for business decision-makers to adequately weigh the costs of prevention versus the cure. Retailers who seek perfect cyber security may overspend limited resources when what they really need to do is erect obstacles to penetration that will deter the vast majority of such threats and tilt the cost-benefit balance in their favor. Tangible’s hacker perspective makes this achievable.
Tangible is certified by the PCI as a Qualified Security Assessor (QSA). Our Managed PCI Services engagements typically span a year and consist of the following steps:
  • Gap Assessment
  • Enterprise Penetration Test (optional but highly recommended)
  • Remediation Guidance
  • Formal QSA Assessment
  • Maintenance Activities
  • Additional steps may include:
    • Satisfying annual PCI requirements for penetration testing
    • Tailored development of a total security program
    • Quarterly vulnerability scanning with analyses and prioritization of findings
    • Selecting, implementing and/or monitoring Secure Information and Event Management (SIEM) capabilities
Our goal is to enable retailers to determine the best, highest-value course of action — implementing sufficient obstacles to send hackers elsewhere without wasting money by seeking unattainable (and unnecessary) perfection.

Analysts and pundits state that “Retail cybersecurity breaches are becoming a dangerously familiar backdrop to the holiday season, making identity-theft threats as predictable as Black Friday but with devastating losses for stores, financial institutions, and shoppers.”

Major news outlets have reported that information from the credit and debit card security breach have flooded black markets.

Reports estimate that “Hackers cost businesses as much as $250 for each credit-card number stolen in the form of legal bills, computer-consulting fees, bad publicity, and restoring customer relations…”

For retailers, the worst news may be that PCI compliance, though costly, does NOT guarantee that their interests are protected from cyber attacks, and they need more and better information to succeed—the type of information that only ethical enterprise hacking can produce.

Target Corporation, the nation’s second largest retailer behind Walmart, presents a worst-case example. Forty million customers had to be notified at the height of the shopping season that hackers had illegally obtained access to their credit card information. Subsequently, Target announced that phone numbers, addresses, and other personal information may also be at risk—and the number affected may reach 100 million shoppers.