Skip to main content

Where NOT to Store Financial Data

9/30/2015

One of the best ways retailers can make both their financial data and store systems more secure is to reduce potential vulnerability by removing financial data from the store.



“Take any credit card data out of your store systems,” advised Perry Kramer, VP and practice lead for Boston Retail Partners. “Most retailers don’t know what’s on their systems or their risk profile. You need a good inventory. Some data you might keep.”



According to Kramer, most major retailers are now getting credit card data out of their systems using tokenization, or the replacement of customer financial data with digital identifiers called “tokens.” The financial institution processing the transaction then “detokenizes” the data once they receive it. Hackers who steal tokens from a retailer’s network would not have access to any actual customer data.



In the past several years, the development of Unified Commerce (UC) systems that connect all retail channels in real time have allowed retailers to strategically leverage tokens across channels.



“If you assign a customer a token for an e-commerce transaction, you can use it again in the store,” said Kramer. “One token follows the customer within the retailer. It’s driven by Unified Commerce and wasn’t possible until four or five years ago.”



Another development in the past several years that has opened new possibilities for retailers looking to eliminate the need to store customer financial data is the introduction of separate payment systems.



“Retailers are pulling payment out of the POS,” said Kramer. “Payment is encrypted on swipe, coded at the payment terminal and decoded at the bank. There is no longer payment data entered into the POS. The retailer has no key; the key is at the bank. If the retailer is hacked, it won’t give exposure.”



In addition, some retailers are now settling payments with banks as they are captured, in or near real time. This avoids the need for batch settlement files.



“If it ties, it flies,” Kramer commented.



However, Kramer cautioned that performing this type of advanced secure payment processing requires that retailers stay current with the latest hardware and also keep their staff educated.



“If you haven’t done so, re-evaluate your staff and your store systems team,” said Kramer. “They should collaborate with the security team.”



Although this level of payment security will also increase operating expenses, Kramer said retailers may be able to recoup some of the cost through lower cyberinsurance. Finally, he gave some important advice for retailers that may try to simply extend the security they used for fixed POS to mobile POS.



“You have to plan and test mobile POS security,” said Kramer. “You have to do it twice.”


Related Topics

X
This ad will auto-close in 10 seconds