Stolen credit card data is no longer the prize. Cyber criminals want Personally Identifiable Information (PII). PII sells for 20 times that of credit card information. One credit card record sells for $1 on the blackmarket. One record of PII sells for $20. The healthcare industry is plagued daily by cyber attacks looking to obtain this information. However, there are regulations and laws in place to secure this information in the healthcare sector. This is not the case in retail.

Credit card information must be secured by law: however the retail sector gathers and stores PII from its customers as well: name, address, phone numbers, etc. This is known as non-payment PII. Mailing list databases are a good example, but there are no regulations regarding the security and storage of this information. Regulations and standards are being put in place in Europe, but there is nothing yet in the US.

The National Cybersecurity Center of Excellence and the National Institute of Standards and Technology have offered guidelines to the retail sector that would greatly improve customer information security, but they are only guidelines.

https://nccoe.nist.gov/projects/use_cases/securing-sensitive-consumer-data

Laws and regulations for the secure handling of customer information in the retail industry need to be put in place, but until then: Caveat Emptor still applies  – Let the Buyer Beware.