‘Tis The Season to Lock Out Customer Data Breaches

Oct 30, 2006 11:31 PM  By

This two-part series looks at threats from an internal and external perspective and discusses strategies for making this holiday season a successful and secure one.

Many are predicting the 2006 holiday season will be the busiest yet. Whether they set foot in the store, or click the mouse a few times, customers will be buying in droves – most with credit cards in hand. Their information will become part of millions of transactions. Mother’s maiden name, birthdates, driver’s license numbers, social security numbers, and Tax ID numbers – all are just a sampling of what will be transmitted between customers, merchants, and partners.

Merchants – online, catalog and retail – need to ensure there are no surprises in their systems security by taking several proactive steps to protect data at all times. The key is recognizing how easy it is for a breach to occur – and where the “hot spots” are –throughout all stages of the transaction lifecycle.

Security Threats

How often do merchants swipe a customer’s credit card or ask seemingly random questions when customers are ready to pay? It happens everywhere: on the phone, on a Website’s check-out page, and even in stores, when cashiers want to know your zip code. This may be a great way to collect customer data needed to execute essential marketing programs, but it’s annoying and risky, because each question opens up new avenues for data to leak.

All merchants share increasingly common security concerns – and can learn from the recent selling season how to create a data security strategy that crosses all channels. Take these examples:

Loyalty programs: About 75% of U.S. consumers take part in the real-world and online reward programs. Customers love them – using them for everyday purchases as well as for gift cards and holiday shopping. In fact, from Columbus Day to mid-January is the peak time for loyalty programs. Online programs represent a big area for growth, as well, with cross-vendor loyalty programs that provide incentive to drive e-purchases with credit from two or more linked merchants.

Any loyalty perk also carries risk: These incentives contain sensitive customer information – sometimes even more than is carried on a credit card, because the cards gather data on how, where, and when consumers buy.

Returns: The day after Christmas is the biggest day for returns. For retailers with multiple channels, it also creates a sudden convergence of brick-and-mortar, online and catalog shopping, as customers line up at the store service desk to hand back gifts they don’t really want. And they don’t really care if the gift was bought it online; they want their money back.

To ensure efficiency and keep service levels high, merchants often house the credit card information from both online and in-person purchases in a common system. When returns are processed, data is transmitted once again – creating another vulnerability gap.

Temporary staff: The army of seasonal workers is highly mobile, and few retailers – in any channel – have the time or resources to screen them carefully. These critical workers are spread across departments – and in the back office.

Merchants need to construct a secure system governing access to information, letting only those with clearance view or edit sensitive customer data. This should begin with point-of-sale. Managers hard-pressed to find time to breathe may say this extra layer of security isn’t worth it – but it’s vital, especially when so many new employees are touching customers’ information. It pays off when the army is disbanded in January, providing fast and reliable way to lock-out those who no longer belong.

Three steps for keeping data secure and protected

Now that merchants can identify the in-store threats, here are three simple steps to minimize vulnerabilities – and ensure data remains fully contained:

Make meeting the mandates part of your culture: Both the federal and state governments are fighting against data breaches – and this spells extra work for merchants. Payment card industry (PCI) mandates and soon-to-be federal regulations require all major credit holder information is encrypted – and more than 40 states have additional regulations. Stringent fines can be levied for non-compliance.

Train staff about the risks: Employees are a critical part of any data security strategy – the best practice is to define who should have access to sensitive information, and monitor it closely.

Consult and collaborate with IT: Most merchants and business operations professionals aren’t expected to be up on the latest trends and solutions for keeping data secure. That’s IT’s responsibility. Laying out the operational processes helps IT identify the biggest threats to data security – and build a highly scaleable, integrated security infrastructure that supports the business.

Building confidence among customers that their information will be safe when they walk through your doors can be accomplished by following these simple steps and keeping your eyes open for potential weak points in your system, often in unexpected places.

Once the risks are clear, everyone can focus on the real job: selling.

Gary Palgon is senior director of connectivity and security solutions for Atlanta-based nuBridges. He can be reached at gpalgon@nubridges.com.