Securing Customer Data: Moving from Defense to Offense

Feb 27, 2006 8:39 PM  By

March 1 won’t be just another Wednesday this year for many multichannel merchants. It’s the day that Montana and Rhode Island join the growing list of states with laws on the books that put real teeth in the penalties for noncompliance of identity protection.

Last year’s Payment Card Industry (PCI) mandate put the squeeze on retailers that don’t comply with bank card requirements for data protection. (See ”PCI Pain” in the June 2005 issue of MULTICHANNEL MERCHANT.) Now legislation is coming from the federal government and more than 40 states that will require companies to encrypt sensitive consumer information, or accept heavy consequences if the information is compromised.

In 2005, according to the Federal Trade Commission, 37% of fraud complaints were the result of identity theft. That fact, coupled with the growing list of penalties for not operating responsibly, is forcing merchants – large and small – to move from defense to offense.

Breaches and the theft of customer information have implications beyond the fines. Lawsuits, the costs of recovering from a crisis, and for public companies the losses on stock price are well documented. Increasingly there’s evidence that a much larger issue is looming: the loss of the customer relationship – perhaps the biggest risk of all. Recently an independent survey of 10,000 consumers revealed that nearly 20% of respondents had terminated a relationship with a company after being notified of a security breach.

Protecting data isn’t easy. Customer information resides in hundreds of places throughout the organization, in many different forms, and it moves around. While many merchants focus on protecting credit-card information at the point of sale, during the authorization process, true consumer data protection requires much more. Securing all consumer information whether in transport or while it is stored may seem excessive, but as hackers become more sophisticated and internal breaches by employees become more frequent, it’s just common sense.

Mapping consumer information as it flows through the company illustrates the most vulnerable touch points:

  • at the point of transaction – whether the point-of-sale system is a store, a Website, a paper order form, or a phone order
  • when the information is being transferred to the credit-card processor for authorization
  • when order information is staged on a store network
  • when information is transferred to corporate headquarters from a store or a Website
  • as users access the information from enterprise systems such as ERP, CRM, data warehousing for marketing, sales, and order processing
  • during analysis by loss-prevention or fraud-detection applications
  • at the point of reconciliation with credit-card processors.

At each of these stages, savvy merchants are implementing advanced levels of encryption to ensure that all critical personal information – not just credit-card information but also social security numbers, phone numbers, addresses, and birth dates – is protected.

There are best practices you can adopt that secure, encrypt, and transport personal data for the benefit of all. These include:

Securing electronic communications with business partners.
These partners include not only banks and credit-card processing companies but also suppliers and any other companies with which you exchange sensitive information.

  • Encrypting data whenever and wherever they are stored.
    All credit-card and other consumer information should be stored in an encrypted format and be decrypted on the fly, not preserved in clear text.
  • Ensuring auditability of all transactions and activities.
    Once hackers have accessed what they want, the first thing they’ll do is erase the audit file. Locking down those files in an “audit vault” makes that action impossible, ensuring a trail for the forensic data team.
  • Restricting access to individuals based on credentials.
    Creating an access hierarchy reduces the internal threat. For example, cashiers should have access only to the last four digits of a credit-card number, not the entire code. Loss-prevention clerks should be able to view credit-card numbers only for suspicious cards.
  • Staying current on security trends and maintaining compliance.
    Recurring network and security assessments of the organization ensure that you are compliant with PCI and other regulatory laws.

Putting customer needs first is part of the merchant DNA. Today that means demonstrating innovation and commitment to keeping customer information safe from identity thieves. Going on the offensive – at least in terms of data security – will reduce exposure to security breaches, mitigating the risk of fraud losses, penalties, and operational and legal expenses that result from information security incidents. Perhaps just as important, these strategies send the strongest possible message to customers that you are taking an aggressive stand to protect their information – and their identity.

Gary Palgon is senior director of connectivity and security solutions for Atlanta-based business-to-business solutions provider nuBridges. He can be reached at gpalgon@nubridges.com