It’s been twelve months since a wave of sophisticated cyber attacks shook the retail industry. In the space of a few chaotic weeks, ecommerce platforms were knocked offline, supply chains faltered, and retailers were forced to confront the uncomfortable truth that the systems underpinning modern commerce were far more vulnerable than many had assumed.
For some businesses, the damage was immediate and severe. Transactions stopped, operations ground to a halt, and teams scrambled to understand how attackers had managed to infiltrate their systems so effectively. For others, the attacks acted as a chilling warning of what could happen next.
Even now, a year later, that sense of vulnerability has not fully disappeared and many retailers still speak of a lingering anxiety. But with the benefit of distance, it’s worth asking an important question. Has anything actually changed, and if so what?
Have retailers strengthened their defences in the wake of last year’s crisis? Have consumers become more wary about where they share their data? Or, are retailers simply burying their heads in the sand and crossing their fingers that it won’t happen again?
The latter, sadly, simply isn’t an option. According to Candice Pressinger, director of customer data security for Europe at Elavon, the attacks forced many retailers to confront a fundamental shift in how security needs to be approached in the modern retail ecosystem.
“Perimeter-based security simply doesn’t work anymore,” she explains. “Retail today is omnichannel. Everything is connected. Ecommerce, payments, logistics, store systems, mobile apps. The old idea that you can just build a wall around your systems doesn’t hold up in that environment.”
That realisation has accelerated the adoption of newer security frameworks, particularly zero-trust architectures. Unlike traditional security models, which assume users and devices inside a network are trustworthy, zero-trust treats every interaction as potentially risky and requires continuous verification.
Pressinger notes that research suggests around 63 per cent of organisations globally now have partial or full zero-trust implementation, reflecting how quickly attitudes have shifted since the attacks. But the biggest lesson from the past year is not simply about adopting new technologies. In many cases, the attacks exposed how fragmented retail security infrastructure had become.
“Best-in-class cyber security isn’t about buying more tools,” Pressinger says. “It’s about integration and intent.”
For years, many retailers responded to emerging threats by layering new tools on top of existing systems such as fraud detection platforms, identity verification tools, and payment security layers, often without ensuring they actually worked together effectively. The result was a patchwork of security solutions that could create just as many problems as they solved.
“Retailers now use around five security or fraud tools on average,” Pressinger explains. “That’s up from around four only a few years ago, and it shows how quickly the threat landscape is evolving.”
But more tools don’t necessarily mean stronger protection. Instead, the most effective security strategies are increasingly focused on how these systems interact with each other, sharing insights, co-ordinating responses, and forming a unified defence against emerging threats.
At the same time, retailers face another delicate balancing act of protecting their businesses, without damaging the all-important customer experience. In ecommerce, even small amounts of friction can have a measurable impact on sales. Additional verification steps, overly aggressive fraud filters, or poorly implemented security checks can quickly push customers to abandon their baskets.
For Pressinger, this is where security strategy often goes wrong. “Security should be seen as a growth lever, not something that throttles your business,” she says. In practice, that means designing systems that can detect and stop malicious activity without obstructing legitimate customers.
“Over-zealous fraud prevention isn’t good security,” she adds. “It’s just lost revenue.”
The financial stakes are significant. Research suggests the UK retail sector lost £1.1 billion to fraudulent activity last year, highlighting the scale of the challenge retailers face in protecting transactions without disrupting the flow of commerce.
Yet Pressinger believes many businesses still approach the problem from the wrong angle.
“Nearly half of merchants prioritise reducing fraud over improving customer experience,” she says. “But if your systems block good customers along with bad actors, you’re creating a different kind of risk.”
The goal, she argues, should be security systems that work quietly in the background identifying suspicious activity, while allowing legitimate transactions to move forward without interruption.
This requires increasingly sophisticated risk modelling, often powered by artificial intelligence and behavioural analysis, which can evaluate signals such as device identity, purchasing patterns, and transaction context in real time.
But while technology has advanced rapidly over the past year, one of the industry’s most significant vulnerabilities remains organisational rather than technical.
John Dobson, vice president of merchant security and fraud at Elavon, believes the biggest challenge facing many retailers is a gap between security expertise and executive leadership.
“The biggest thing retailers need is leadership that’s genuinely tech-savvy,” he says.
Emerging technologies such as AI, machine learning, and automation are rapidly reshaping the cyber threat landscape. Yet Dobson notes that many senior decision-makers still lack a deep understanding of how these technologies operate or the risks they introduce.
He points out that research suggests that executive confidence in AI strategies is unstable, and actually fell from 69 per cent in 2024 to just 58 per cent in 2025. “However, that will change over time,” Dobson says. “As new generations of leaders come in, that knowledge gap will narrow.”
But in the short term, he believes it creates a significant risk.
“In a lot of businesses, the focus is still on whether the numbers were hit this quarter,” he explains. “Security and resilience often get pushed down the priority list until something goes wrong.” That mindset can leave companies dangerously exposed in an era where cyber threats are evolving at unprecedented speed.
Meanwhile, the threat landscape itself shows no signs of slowing down.
Pressinger points to the rapid emergence of new technologies such as agentic AI as one example of how quickly the environment is changing. “Agentic AI is coming down the road like a juggernaut,” she says.
While these technologies offer enormous potential for businesses, they also create new opportunities for cyber criminals, who are increasingly using automation and AI to scale their attacks. For retailers, this means the idea of achieving “complete security” is unrealistic. “Security is never finished,” Pressinger says.
Instead, the focus must shift towards resilience, and building systems capable of adapting to new threats and recovering quickly when incidents occur. This involves a combination of adaptive risk models, identity-first security frameworks, and continuous scenario planning designed to anticipate how attack methods might evolve.
But perhaps most importantly, it requires a shift in mindset. “Future-ready retail isn’t about stopping every failure,” Pressinger explains. “It’s about making failure non-catastrophic.”
In other words, the goal is not to eliminate cyber risk entirely (an impossible task), but to ensure that when incidents do occur, they don’t bring an entire organisation to its knees.
That philosophy has become increasingly important as retailers recognise the long-term consequences of cyber incidents extend far beyond operational disruption. Trust, after all, is one of the most valuable currencies in modern retail. “When something goes wrong, consumers remember,” Pressinger says. “One in two customers won’t come back if their data is compromised and the issue isn’t handled well.”
For retailers, that means cyber security isn’t just a matter of protecting systems, but also protecting vital relationships with customers. And while the retail industry has undoubtedly strengthened its defences over the past year, the reality is that cyber threats continue to evolve at a relentless pace.
Retailers may be more aware of the risks they face. Their systems may be more resilient than they were twelve months ago. But the sense that the industry is operating in an increasingly hostile digital environment hasn’t disappeared.If anything, it has become the new normal. One year on from the attacks that rattled the sector, it’s clear that cyber security is an ongoing battle that could well shape the future of retail.
However, whilst caution and active protection is sensible, the positive news is that with the right protection, it’s possible for any business to effectively prevent attacks. In fact, the vast majority (80 to 90 per cent) of attacks are completely avoidable, if the right measures are in place. Now, the onus is on you to ensure that you’re protected not just for today, but for the future.
U.S. Bank Europe DAC, trading as Elavon Merchant Services, is a credit institution authorised and regulated by the Central Bank of Ireland. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request
Click here to sign up to Retail Gazette‘s free daily email newsletter
