![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
It\u2019s been twelve months since a wave of sophisticated cyber attacks shook the retail industry. In the space of a few chaotic weeks, ecommerce platforms were knocked offline, supply chains faltered, and retailers were forced to confront the uncomfortable truth that the systems underpinning modern commerce were far more vulnerable than many had assumed.<\/p>\n
For some businesses, the damage was immediate and severe. Transactions stopped, operations ground to a halt, and teams scrambled to understand how attackers had managed to infiltrate their systems so effectively. For others, the attacks acted as a chilling warning of what could happen next.<\/p>\n
Even now, a year later, that sense of vulnerability has not fully disappeared and many retailers still speak of a lingering anxiety. But with the benefit of distance, it\u2019s worth asking an important question. Has anything actually changed, and if so what?<\/p>\n
Have retailers strengthened their defences in the wake of last year\u2019s crisis? Have consumers become more wary about where they share their data? Or, are retailers simply burying their heads in the sand and crossing their fingers that it won\u2019t happen again?<\/p>\n
The latter, sadly, simply isn\u2019t an option. According to Candice Pressinger, director of customer data security for Europe at Elavon, the attacks forced many retailers to confront a fundamental shift in how security needs to be approached in the modern retail ecosystem.<\/p>\n
\u201cPerimeter-based security simply doesn\u2019t work anymore,\u201d she explains. \u201cRetail today is omnichannel. Everything is connected. Ecommerce, payments, logistics, store systems, mobile apps. The old idea that you can just build a wall around your systems doesn\u2019t hold up in that environment.\u201d<\/p>\n
That realisation has accelerated the adoption of newer security frameworks, particularly zero-trust architectures. Unlike traditional security models, which assume users and devices inside a network are trustworthy, zero-trust treats every interaction as potentially risky and requires continuous verification.<\/p>\n
Pressinger notes that research suggests around\u00a063 per cent of organisations globally now have partial or full zero-trust implementation, reflecting how quickly attitudes have shifted since the attacks. But the biggest lesson from the past year is not simply about adopting new technologies. In many cases, the attacks exposed how fragmented retail security infrastructure had become.<\/p>\n
\u201cBest-in-class cyber security isn\u2019t about buying more tools,\u201d Pressinger says. \u201cIt\u2019s about integration and intent.\u201d<\/p>\n
For years, many retailers responded to emerging threats by layering new tools on top of existing systems such as fraud detection platforms, identity verification tools, and payment security layers, often without ensuring they actually worked together effectively. The result was a patchwork of security solutions that could create just as many problems as they solved.<\/p>\n
\u201cRetailers now use around five security or fraud tools on average,\u201d Pressinger explains. \u201cThat\u2019s up from around four only a few years ago, and it shows how quickly the threat landscape is evolving.\u201d<\/p>\n
But more tools don\u2019t necessarily mean stronger protection. Instead, the most effective security strategies are increasingly focused on how these systems interact with each other, sharing insights, co-ordinating responses, and forming a unified defence against emerging threats.<\/p>\n
At the same time, retailers face another delicate balancing act of protecting their businesses, without damaging the all-important customer experience. In ecommerce, even small amounts of friction can have a measurable impact on sales. Additional verification steps, overly aggressive fraud filters, or poorly implemented security checks can quickly push customers to abandon their baskets.<\/p>\n
For Pressinger, this is where security strategy often goes wrong. \u201cSecurity should be seen as a growth lever, not something that throttles your business,\u201d she says. In practice, that means designing systems that can detect and stop malicious activity without obstructing legitimate customers.<\/p>\n
\u201cOver-zealous fraud prevention isn\u2019t good security,\u201d she adds. \u201cIt\u2019s just lost revenue.\u201d<\/p>\n
The financial stakes are significant. Research suggests the UK retail sector lost\u00a0\u00a31.1 billion to fraudulent activity last year, highlighting the scale of the challenge retailers face in protecting transactions without disrupting the flow of commerce.<\/p>\n
Yet Pressinger believes many businesses still approach the problem from the wrong angle.<\/p>\n
\u201cNearly half of merchants prioritise reducing fraud over improving customer experience,\u201d she says. \u201cBut if your systems block good customers along with bad actors, you\u2019re creating a different kind of risk.\u201d<\/p>\n
The goal, she argues, should be security systems that work quietly in the background identifying suspicious activity, while allowing legitimate transactions to move forward without interruption.<\/p>\n
This requires increasingly sophisticated risk modelling, often powered by artificial intelligence and behavioural analysis, which can evaluate signals such as device identity, purchasing patterns, and transaction context in real time.<\/p>\n
But while technology has advanced rapidly over the past year, one of the industry\u2019s most significant vulnerabilities remains organisational rather than technical.<\/p>\n
John Dobson, vice president of merchant security and fraud at Elavon, believes the biggest challenge facing many retailers is a gap between security expertise and executive leadership.<\/p>\n
\u201cThe biggest thing retailers need is leadership that\u2019s genuinely tech-savvy,\u201d he says.<\/p>\n
Emerging technologies such as AI, machine learning, and automation are rapidly reshaping the cyber threat landscape. Yet Dobson notes that many senior decision-makers still lack a deep understanding of how these technologies operate or the risks they introduce.<\/p>\n
He points out that research suggests that executive confidence in AI strategies is unstable, and actually fell from 69 per cent in 2024 to just 58 per cent in 2025. \u201cHowever, that will change over time,\u201d Dobson says. \u201cAs new generations of leaders come in, that knowledge gap will narrow.\u201d<\/p>\n
But in the short term, he believes it creates a significant risk.<\/p>\n
\u201cIn a lot of businesses, the focus is still on whether the numbers were hit this quarter,\u201d he explains. \u201cSecurity and resilience often get pushed down the priority list until something goes wrong.\u201d That mindset can leave companies dangerously exposed in an era where cyber threats are evolving at unprecedented speed.<\/p>\n
Meanwhile, the threat landscape itself shows no signs of slowing down.<\/p>\n
Pressinger points to the rapid emergence of new technologies such as agentic AI as one example of how quickly the environment is changing. \u201cAgentic AI is coming down the road like a juggernaut,\u201d she says.<\/p>\n
While these technologies offer enormous potential for businesses, they also create new opportunities for cyber criminals, who are increasingly using automation and AI to scale their attacks. For retailers, this means the idea of achieving \u201ccomplete security\u201d is unrealistic. \u201cSecurity is never finished,\u201d Pressinger says.<\/p>\n
Instead, the focus must shift towards resilience, and building systems capable of adapting to new threats and recovering quickly when incidents occur. This involves a combination of adaptive risk models, identity-first security frameworks, and continuous scenario planning designed to anticipate how attack methods might evolve.<\/p>\n
But perhaps most importantly, it requires a shift in mindset. \u201cFuture-ready retail isn\u2019t about stopping every failure,\u201d Pressinger explains. \u201cIt\u2019s about making failure non-catastrophic.\u201d<\/p>\n
In other words, the goal is not to eliminate cyber risk entirely (an impossible task), but to ensure that when incidents do occur, they don\u2019t bring an entire organisation to its knees.<\/p>\n
That philosophy has become increasingly important as retailers recognise the long-term consequences of cyber incidents extend far beyond operational disruption. Trust, after all, is one of the most valuable currencies in modern retail. \u201cWhen something goes wrong, consumers remember,\u201d Pressinger says. \u201cOne in two customers won\u2019t come back if their data is compromised and the issue isn\u2019t handled well.\u201d<\/p>\n
For retailers, that means cyber security isn\u2019t just a matter of protecting systems, but also protecting vital relationships with customers. And while the retail industry has undoubtedly strengthened its defences over the past year, the reality is that cyber threats continue to evolve at a relentless pace.<\/p>\n
Retailers may be more aware of the risks they face. Their systems may be more resilient than they were twelve months ago. But the sense that the industry is operating in an increasingly hostile digital environment hasn\u2019t disappeared.If anything, it has become the new normal. One year on from the attacks that rattled the sector, it\u2019s clear that cyber security is an ongoing battle that could well shape the future of retail.<\/p>\n
However, whilst caution and active protection is sensible, the positive news is that with the right protection, it\u2019s possible for any business to effectively prevent attacks. In fact, the vast majority (80 to 90 per cent) of attacks are completely avoidable, if the right measures are in place. Now, the onus is on you to ensure that you\u2019re protected not just for today, but for the future.<\/p>\n
U.S. Bank Europe DAC, trading as Elavon Merchant Services, is a credit institution authorised and regulated by the Central Bank of Ireland. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request<\/em><\/p>\n