Local hardware chain takes on global security threat

Operating seven stores, McLendon Hardware Inc. may not seem like a top target for a customer data breach.



However, the Renton, Washington-based chain understands that no retailer of any size is immune to the risk of having sensitive customer data stolen by cybercriminals. That is why McLendon utilizes an Epicor deployment of the Hewlett Packard Enterprise (HPE) SecureData Payment security solution.



“The 2014 Home Depot security breach pushed the idea of payment security to the forefront of the minds of our customers,” Nathaniel Polky, director of IT of McLendon Hardware, said during an interview with Chain Store Age. “It gave us a legitimate pretext to take back to ownership for us to make sure there are no negative customer events.”



Conducting approximately two million consumer transactions each year, McLendon determined that having customer credit card information within its environment was its biggest area of risk.



“From a reputation and financial standpoint, we decided we should try to eliminate credit card data from our environment,” said Polky. “As a midsized local retailer, we don’t have the resources to weather the type of impact a data breach would have on our reputation.”



As an existing user of Epicor ERP and POS solutions, McLendon decided to run a pilot of the Epicor-HPE SecureData Payment platform in early 2015. The retailer was comfortable enough with the results to launch a full-scale rollout in summer 2015.



Customer card data is tokenized at the point of entry and is never stored in McLendon’s environment at any time. Nobody in the chain of custody of the data has a view of the actual card number until it reaches the back-end payment processor.



“We were able to securely deploy HPE SecureData Payment across all of our 110 POS terminals in one to two days,” said Polky. “There were zero changes to existing systems and infrastructure.”



McLendon is providing tokenization of customer card data following a shift to EMV-compliant POS terminals. The retailer also accepts contactless mobile payments, such as Apple Pay, Samsung Pay and Android Pay.



“The customers aren’t aware we are tokenizing their data – we didn’t want to call it out,” said Polky. “But it builds up the customers’ peace of mind when they see modern POS equipment and up-to-date hardware that supports all types of payment.”



The retailer is liable in the event any tokenized data is somehow hacked. However, it mitigates that small risk with breach insurance that covers the cost of notifying affected customers, which Polky estimated at $25-$50 per shopper.



And McLendon is hardly resting on its security laurels. The retailer is actively educating cashiers about how to spot signs of POS fraud, as well as always looking for ways to improve its overall security infrastructure.



“As the larger retailers harden their security, criminals are taking a step further down in the market,” said Polky. “We continue to make internal improvements to our security environment.”