Merchants are increasingly aware of the need to invest time, money, and resources in ensuring that customer data are secure. Pressure from federal and state governments, the payment card industry and – more and more – consumers themselves is driving real action to protect personal information regardless of where it resides within the enterprise.
But there’s a new threat, one almost so new that it’s barely discussed: With the growing reliance on partners for everything from direct ship to returns management, merchants are sharing a great deal of customer data with suppliers, with little thought to what those partners have in place for protection. Customers don’t know and often don’t care who is sending the product they ordered, just as long as it gets to them. The need to cut costs and improve efficiency has led merchants to outsource picking, packing, and shipping of products. With virtual inventory management – purchases shipped directly from the warehouse to the home or to the store – merchants need to share a significantly greater amount of customer information with suppliers, adding a layer of complexity.
A merchant’s best practices in consumer data protection usually encompass only its own operations. The reality is that while internal processes may be more than enough to meet the stringent requirements, these inward-focused approaches leave the merchant exposed to risk if a supplier experiences a data breach.
The tangled web can snare you
One compelling trend that makes partnering with suppliers a business imperative is the myriad of laws being rolled out at the state level. Merchants and suppliers may find that they’ve met mandates in one state but are not compliant with requirements in other states. And it does not matter whether the breach occurs in the home state of the merchant, the state of the supplier, or the state of the consumer; unencrypted data that are breached in any of these bring penalties upon the company that exposed them.
For example, an Arizona-based customer who orders seafood from a merchant in Connecticut to be shipped as a gift to someone in Florida presents an extremely complex web of protection compliance rules and regulations that need to be met. For Arizona, a customer’s information must be encrypted when the first or last name is stored or sent in combination with any other personal information. Connecticut’s rules, which became effective Jan. 1, 2006, require the same, while Florida’s mandates are some of the nation’s most stringent – protecting everything from tax identification numbers to biometric data.
The combinations are endless. Merchants – especially those doing business in multiple states or online – must take a multifaceted approach to protection, encryption, and reporting of personal data and breaches.
Creating a secure ecosystem
Survey your trading partners: Ask your suppliers to provide you with written details on what data security measures they have in place for protecting your customer information. Plan in-person meetings to review the issues and next steps.
Prioritize a strategy for closing the gap: Based on the survey findings, categorize your suppliers by how they prioritize data-security implementations. In determining whether suppliers make security a top, midlevel, or low priority, take into account the level, type, and volume of information you share.
Create a roadmap for supplier migration: Define a timeline for on-boarding suppliers to your platform for data security. Include milestones for measuring progress, and build in time for setbacks – recognize that there will be obstacles and plan time in advance to overcome them.
Invest in technology that makes it easy to adopt your strategy: Many suppliers are small companies that can’t afford huge outlays of money, time, and resources. Today’s on-demand delivery models can put innovation and scalability into the equation while ensuring a robust and reliable protective layer – across all connections.
Be a resource for education: An educated partner is a diligent partner. Share the latest news, trends, and strategies around the issue in structured, consistent communications to ensure that everyone understands what’s happening and how to remain ahead of the risk.
As the physical location becomes obsolete, merchants need to pay attention to the industry’s best practices as the benchmark for protection. Today’s environment requires that merchants not only look within the four walls for points of weakness for criminals to break in but also take a good look at suppliers’ processes. Ensuring that all trading partners are meeting or exceeding your standards gives the added security that your customers’ information is protected no matter where it’s located.
Gary Palgon is senior director of connectivity and security solutions for Atlanta-based solutions provider nuBridges. He can be reached at [email protected].