Insights: Data Security and Customer Loyalty
By: David Kidd, Peak 10
Data privacy and security remain top concerns for retailers. There is good reason for that. The Target breach compromised approximately 70 million records. The Home Depot breach potentially impacted another 60 million consumers. As I write this article, reports are being made public about a breach involving the office supply retailer Staples. We can no longer deny that cybercrime is a real and growing threat to the retail sector.
The National Retail Federation reported in 2012 that service companies lost more than $11 billion due to credit card fraud. This must not be allowed to continue. Through the industry’s experience a few things have become apparent. First, consumers care about the security of their data—especially after a breach personally hits home. Consumers are becoming more sensitive to the security of their personal information and they expect more from the business community. When a breach occurs they focus their blame on the trusted entity – be it a retailer, bank, etc. — not the criminal.
Many businesses, including retail giant Target, have begun taking immediate steps to prevent a future breach, including the early adoption of chip-and-PIN credit card technology. This technology will be deployed widely in 2015. The chip-and-PIN cards, which are commonplace in Europe, store data in an embedded computer microchip that require people to use a PIN code rather than a signature. Therefore, if a hacker gains access to the card, the PIN serves as an added layer of security to help protect the consumer’s information.
While the adoption of chip-and-PIN credit card technology is not inexpensive, many feel it far outweighs the cost of another data breach. Target’s data breach has thus far cost the company upwards of $200 million.
Forrester Research, Inc., believes this is an opportunity for merchants to not only capitalize on this heightened attention but to use it to cement relationships by placing customers at the center of security and compliance strategies and investments.
In the recent report, “CSIOs Need to Add Customer Obsession to Their Job Description” (April 14, 2014), analyst Ed Ferrara wrote: “Internally focused cyber defense is not enough. Organizations need to build a communications link to customers that addresses their need to understand how you are protecting their information and business relationship. Organizations need to change their entire security model from one of compliance — meeting basic standards for data protection — to one in which they create a complete security program that engenders trust in customers and allows them to recognize that security and privacy are important features of almost all products and services. Protecting the customer and the customer experience should be security’s number one priority.”
To help mitigate some of the risk, retailers are partnering with information technology firms and cloud service providers to take proactive measures, and establish compliant, safe and secure cloud environments to protect customer data.
More than one in five retailers (22%) are not compliant with the payment card industry data security standard (PCI DSS), according to a survey of 100 retail organizations with less than 1,000 employees. An additional 14% don’t know if they are PCI compliant. More than half (55%) are unaware of their state’s security breach requirements, while 40% lack any established policy for adhering to those requirements. Partnering with providers who already uphold a strong compliance program with careful adherence to industry standards will allow retailers to extend that protection of their customers’ critical data. This has always been and will continue to be a top priority for committed service providers who employ extraordinary security measures to protect and maintain the systems customers depend upon.
While many have been hesitant to adopt cloud technologies, the fact is that while the cloud is not secure by default—it can be. The key is to partner with a service provider with a cutting edge compliance program, and to hold providers accountable by asking to see documentation of their commitment to compliance. For example, seek organizations that undergo annual examinations by third-party auditors under appropriate standards. Review independent audit reports including SOC 1, SOC 2, SOC 3, HIPAA and PCI DSS. It’s appropriate – and encouraged—for businesses to hold service providers accountable, to ask the tough questions, to examine documentation, and to even perform their own testing using another third party.
The more questions answered upfront, the more beneficial it will be in the long run for all parties involved –provider, company, and consumer. At the end of the day, data security is a customer relationship just as much as it is a compliance or cost issue. If customers are happy and their data is safe and secure, their trust in the business will grow.
Whether the company is a major retailer like Target, Home Depot, or Supervalu, or a mom-and-pop shop down the street, working with experts outside of the business should be part of a comprehensive information security strategy. No one can possibly anticipate or track all security threats. However, partnering with a secure, compliant service provider that offers managed network security services, businesses can protect data and protect against threats before it’s too late, protecting the customer, as well as the bottom line.
David Kidd is VP of governance, risk and compliance at Peak 10, overseeing legal affairs, risk management, and regulatory compliance activities including quality assurance, data center commissioning, and business continuity planning ([email protected]). He has more than 20 years of management experience in information technology and professional certification through the Information Systems Audit and Control Association (ISACA).