Retail is a high-volume, high-frequency environment: payment flows, customer accounts and fulfilment systems need to work continuously. All of this makes the sector an attractive target for criminals.
They don’t need to use novel techniques – they just look for the same weak points that appear in most estates, such as exposed remote access, unpatched systems, over-permissioned accounts, brittle third-party integrations and limited monitoring.
Retail also has a changing technology footprint. POS (point-of-sale) estates now include Cloud-managed terminals, remote support tooling and third-party managed services, and eCommerce sites often rely on complex plugin ecosystems, tag managers, payment widgets and outsourced marketing scripts.
Each dependency is another route to compromise.
How cyber criminals target POS systems
Malware on POS terminals
POS malware has a simple objective: capture payment card data as it is handled by the terminal or the supporting system. One common technique is “RAM scraping”, where malware extracts card data from memory during transaction processing.
How it typically happens:
- The attacker gains a foothold on a POS endpoint or in the wider POS network.
- Malware is deployed via that foothold.
- Card data is captured and exfiltrated, sometimes in near-real time.
The initial foothold is often mundane: phishing attacks on staff, weak passwords on shared accounts, misconfigured admin interfaces and reused credentials all provide ways in. Once the attacker is inside the environment, lateral movement becomes the real risk, particularly where the POS estate is not segmented from the rest of the network.
Compromised remote access tooling
POS environments often include vendor-maintained remote access for support and updates. This is operationally useful, but is also attractive to attackers. If remote access is exposed to the internet, protected by default credentials or configured without strong multi-factor authentication, it becomes an entry point.
This category of compromise tends to be fast. Attackers don’t need to defeat endpoint security if they can authenticate as a legitimate user, or if the remote access service is misconfigured in a way that provides direct access.
Supply-chain compromise
Retail POS deployments depend on third parties: software vendors, managed service providers, payment integrations and update mechanisms. Where a trusted component is tampered with upstream, the attacker can reach multiple retailers at once.
Supply-chain compromise doesn’t always mean a sophisticated vendor breach. It can also be:
- A compromised vendor account used to access a retailer.
- Malicious code introduced into a software component before deployment.
- A weak integration path where data flows between systems without robust authentication and integrity checks.
The practical implication is that POS security cannot be treated as “the terminal”. It is the terminal, the management plane, the support routes and the dependencies.
How cyber criminals target eCommerce sites
Web skimming (Magecart-style attacks)
Web skimming inserts malicious JavaScript into a checkout flow so that card data is captured as the customer enters it. The core pattern is straightforward: compromise the site or a dependency, inject code and send captured data to attacker-controlled infrastructure.
What makes web skimming persist is the difficulty of detecting it as victim sites can appear to function normally. A small script can blend into legitimate tags, third-party analytics and marketing tooling. Campaigns can therefore run for extended periods. A recent example is the Magecart attacks.
Common injection routes include:
- Compromised CMS admin credentials.
- Vulnerable plugins or extensions.
- Exposed file upload functions.
- Compromised third-party scripts or tag manager access.
Credential stuffing and account takeover
Credential stuffing uses previously leaked username/password pairs to attempt logins at scale. It works because many customers reuse passwords across services. If a retailer doesn’t implement effective controls (such as rate-limiting, bot detection, strong authentication options and suspicious login monitoring), attackers can take over accounts and monetise them.
In retail, account takeover has direct value:
- Stored payment cards and addresses can be abused.
- Loyalty points can be stolen or redeemed fraudulently.
- Gift cards and promotions can be exploited.
- Order history and personal data can be used for further fraud.
Credential stuffing is not theoretical. It is regularly cited as the method behind compromises affecting consumer-facing brands.
Exploiting software vulnerabilities
Retail eCommerce stacks frequently include:
- A CMS or commerce platform.
- A theme and plugin ecosystem.
- Payment and fulfilment integrations.
- API connections to stock, pricing, marketing and customer data.
Attackers look for known vulnerabilities in those components, especially where patching is inconsistent. The usual categories show up repeatedly: injection flaws, cross-site scripting, insecure direct object references and weak API authentication.
This is where “small” issues become material. A single vulnerable plugin can provide a route to file modification. A weak API key can expose customer data. A misconfigured admin panel can provide privileged access without meaningful friction.
Fake payment pages and phishing redirects
Some attacks don’t need to compromise the entire site. They only need to compromise the payment step.
That can mean:
- Altering checkout logic so customers are redirected to an attacker-controlled page.
- Injecting a convincing payment form that captures details.
- Manipulating the user journey through compromised scripts, DNS changes or tampered links.
The result is the same: the attacker obtains payment data and the retailer faces fraud, chargebacks and reputational damage.
The impact of POS and eCommerce breaches
A retail compromise rarely stays in one lane. Operational disruption, fraud and compliance exposure tend to arrive together.
Impacts typically include:
- Theft of cardholder data or payment credentials.
- Theft of personal data (names, emails, addresses, order history).
- Loyalty fraud, refund abuse and account takeover losses.
- Chargebacks, incident response costs and downtime.
- Contractual and scheme-driven consequences where payment data is involved.
- Regulatory exposure, including breach notification duties where personal data is affected.
If personal data is involved, UK GDPR (General Data Protection Regulation) breach reporting obligations may apply. The ICO’s guidance reflects the 72-hour notification expectation for notifiable breaches, aligned with Article 33.
Organisations can also face penalties for non-compliance with the PCI DSS (Payment Card Industry Data Security Standard), including having their ability to accept card payments withdrawn.
Protect your retail systems with penetration testing
Penetration testing is the practical step that validates what happens when an attacker targets your POS estate or your eCommerce stack.
A well-scoped penetration test can help you:
- Identify exploitable paths into POS networks, including remote support routes and management interfaces.
- Validate segmentation between the cardholder data environment and the rest of the estate.
- Test eCommerce web applications, checkout workflows and APIs for real-world weaknesses.
- Detect script injection risks and insecure dependencies in the front end supply chain.
- Assess access management, privilege boundaries and lateral movement paths.
- Produce clear remediation actions prioritised by risk and exploitability.
Penetration testing is also a standard expectation in payment security programmes. PCI Security Standards Council guidance has long positioned penetration testing as a means to validate segmentation and security posture.
How we can help
Book a penetration test with GRC Solutions. Secure your retail systems, protect your customers and reduce the likelihood that attackers reach payment and customer data.
