Retail Cybersecurity FAQ: Common Questions from UK Retailers
Retail cybersecurity generates consistent questions — from e-commerce managers unsure about their PCI DSS obligations, to IT directors trying to prioritise their limited security budgets, to managing directors who have received a ransomware demand. This FAQ addresses the most common questions from UK retailers.
Retail is consistently in the top 3 most ICO-investigated sectors — and most retail data breaches are preventable with basic controls.
Retail Cybersecurity Frequently Asked Questions
Frequently Asked Questions
Do we need to be PCI DSS compliant if we use a payment gateway?
Yes — using a payment gateway does not eliminate your PCI DSS obligations, but it can significantly reduce them. The scope of your compliance depends on how you process payments. If you use a fully hosted payment page where customers enter card details on the payment gateway's own site (never touching your servers), you may qualify for SAQ A — the simplest compliance pathway with 22 questions. If card data passes through your systems in any form, your scope and compliance requirements are greater. Contact your acquiring bank to understand your specific compliance requirements.
What should we do if our website has been compromised with card skimming code?
Immediately: take the affected checkout pages offline (sacrifice the lost sales — the alternative is continuing to expose customer card data); notify your acquiring bank (they will guide you through the card scheme incident response process and may need to issue new cards to affected customers); engage a PCI DSS forensic investigator (a QSA-affiliated forensic investigator will identify the scope of the compromise); notify the ICO within 72 hours if customer personal data was involved; and remove the malicious code and investigate the entry point before relaunching. Do not simply remove the skimmer and go back online without understanding how it got there.
How do we protect against Business Email Compromise?
BEC prevention requires both technical and process controls: technically, implement advanced email security that detects domain spoofing and lookalike domains; enable MFA on all email accounts (so account compromise doesn't immediately enable BEC attacks from your domain); and configure DMARC/DKIM/SPF to prevent your domain being spoofed. Process controls: implement an out-of-band verification requirement for any payment detail change request — always call the supplier on a known phone number, never use contact details in the suspicious email; require dual authorisation for payments above a defined threshold; and train finance and buying teams specifically on BEC fraud patterns.
We've received a ransomware demand — should we pay?
Do not pay immediately. Contact the NCSC (0300 020 0973), your cyber insurer, and a specialist incident response firm before making any decision. Payment does not guarantee data recovery, marks you as willing to pay (inviting repeat attacks), and may be funding sanctioned organisations (making it illegal). The insurer will typically engage their preferred incident response team and guide the payment decision process. Focus on containment and assessing your backup and recovery options while these conversations happen. Many retailers recover without payment when they have tested offline backups.
What is our GDPR obligation when a customer data breach occurs?
You must notify the ICO within 72 hours of becoming aware of a breach if it is likely to result in a risk to individuals' rights and freedoms. For retail customer data (names, email addresses, purchase history, payment data), this threshold is generally met for any significant breach. You must also notify affected customers directly if the breach is likely to result in high risk to them — particularly if payment data or sensitive personal information was involved. Report using the ICO's online breach reporting service, and document the breach in your internal breach register even for incidents below the notification threshold.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.