’Tis the Season to Lock Out Customer Data Breaches – Part 2

Nov 06, 2006 10:46 PM  By

Part one of this two-part series looked at potential internal security threats and how to minimize the risks. Here we look at external threats and the importance of encryption.

This year’s projection for record-breaking sales brings enormous risk for data theft. Whether it is through point of sale, loyalty programs, or product returns, data are in a constant state of motion, with sensitive customer information flooding the confines of almost any business.

Not that long ago, the biggest day-to-day customer data risk was misplaced paper with confidential credit-card or sales information. Now, with e-business dissolving the boundaries between merchants and suppliers, and within their own enterprises, more critical information is exposed, creating ominous security gaps that need to be closed.

Online: Customers generally disclose more of their personal information when buying online than in stores. Credit-card numbers, expiration dates, and security codes are all required. Not surprisingly, hackers tend to camp out where transactions occur. You must combat with this by applying more security, including encryption of sensitive data and processes.

Kiosks: Kiosks are one of the fastest-growing sales mechanisms, both in stores and at out-of-store locations. You must treat data from these “remote stores” as if they were processed on site. Consumer data will need to be safely transported from the kiosk to the corporate location and then removed from the kiosk in a timely manner.

Marketing, sales, and other business partners: When a purchase is complete, the information about that purchase and consumer is disseminated not just for processing but also to an “ecosystem” consisting of internal corporate departments and third-party partners. They may need access to review the information for loss prevention, to ensure consumer credit, or for a multitude of other application needs. Again, whether static or in transit, data must be protected and rendered of no use to anyone who should not have access.

This immense network typically extends beyond the enterprise’s grasp. Output can be e-mail (which can be easily hacked), servers (which can be infiltrated) and laptops (which can be stolen). Again, protection of the data, usually through encryption, is key. While hackers are rarely locked out, they take the path of least resistance, and strong encryption may entice them to look elsewhere. The same applies to internal individuals who, though not typically malicious, may commit crimes of opportunity.

If data are compromised in any of these environments, the effects can be devastating – a decrease in customer confidence, plummeting sales, lawsuits, and if the company is public, a precipitous drop in shareholder value.

Every merchant counts on the holiday season to win new customers. But a single security breach can lose them–forever.

These three simple steps can shore up defenses – quickly – even in time for this crucial selling season:

Encrypt data at rest: This needs to be an iron-clad rule. Every occurrence of sensitive customer information must be encrypted, no matter where it’s handled or by whom. If credit-card or other consumer data do not need to be maintained in a system, remove them.

Encrypt data in transit: This is another inviolable rule. Any time that sensitive data are moved between applications, divisions, or companies, they need to be encrypted. The payload of information can be protected, or the entire “pipeline” can be secured so that it cannot be accessed.

Secure access to encrypted data: To access encrypted data, users must have the proper rights in order. Authorization to data by role is important to ensuring that the system is secure. Some users will have access only to view the last four digits of a credit card, for instance, while others may have complete access, such as an individual in the loss prevention department where they monitor credit-card fraud.

While securing each point individually can help, an overall strategy for protecting customers’ information throughout the entire transaction cycle–online, in stores, at kiosks, and with business partners/suppliers–will ensure that security breeches don’t ruin your holiday season.

Gary Palgon is senior director of connectivity and security solutions for Atlanta-based nuBridges. He can be reached at gpalgon@nubridges.com.