Data Security: Retail’s New Top Priority
In recent years, customer engagement has become much more of a mission-critical function for retailers. While nobody would argue that retailers must engage their customers in a way that recognizes the disruptive effects of leading-edge technologies like social and mobile, there is a priority that looms even larger. Namely, data security.
Insecure Data Creates Insecure Customers
Engaging a customer successfully, only to have that customer suffer a breach of sensitive information that could subject them to theft of both their money and their identity, is far more damaging to your long-term brand health than not engaging them at all. Data security is the foundation upon which all other retail activities rest. Without it, retailers may find themselves facing an angry and mistrustful customer base only willing to conduct cash-based, anonymous transactions. That model worked well up to the 1950s but is not a framework for 21st century commerce. Here are a few quick suggestions to help retailers put data security at the center of customer engagement and everything else they do in the course of business:
The Time Has Come for PIN & Chip
Unlike most of the rest of the world, U.S. retailers still rely on payment cards that store sensitive data on magnetic stripes and use customer signature for verification. This simplistic security technology has been around for roughly 50 years and is easily defeated by skilled hackers.
Outside the U.S., retailers typically use PIN & chip payment cards that store data on embedded microchips and rely on customer PINs for verification. They are not invulnerable, but PIN & chip cards are much more sophisticated than magnetic stripe cards and offer consumers and retailers a higher level of security. Retailers would need to collaborate with banks, credit card companies and POS systems providers to make PIN & chip a reality in the U.S., but it’s no accident Target has said it wants to revisit a PIN & chip pilot it ended 10 years ago.
Compliance is the First Step
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements mandating that retailers securely process, store and transmit credit card data. PCI DSS compliance provides a data security baseline, but in and of itself does not guarantee data security. The standard is not a law and enforcement is spotty. Beyond that, simply meeting PCI DSS standards in no way protects retailers from the type of highly sophisticated and relentless attacks they are now facing (see more details below). Once you have met PCI DSS compliance, the real work in securing customer data begins.
Know Your Enemy
Despite popular depictions of “hackers” as teen loners operating from their parents’ basements, the reality is today’s data security threats come from international criminal groups and even nation-states. The software program used to penetrate Target’s data security defenses originated in Eastern Europe and has been distributed globally via underground websites, and there is strong evidence that partially or wholly hostile nation-states such as China and North Korea have engaged in hacking the systems of U.S. businesses.
Thus, retailers need to use the same type of encryption, antivirus software, and other data defense mechanisms employed by U.S. government agencies. Achieving this level of data security requires considerable expense in expertise and technology, but losing the faith of your customers is a much costlier proposition.