Data security: nobody said it was easy
Networking expert Bill Farmer argues that data security goes beyond check-box processes to become a matter of safeguarding the retailers most prized asset, its customer relationships
Networking expert Bill Farmer argues that data security goes beyond check-box processes to become a matter of safeguarding the retailer’s most prized asset, its customer relationships
In this tough economic situation everyone is fighting to win consumer interest, said Bill Farmer, chief executive of Mako Networks.
Competition is high between retailers and, whether it’s a local store or a global e-retailer, all are fighting to win customers and better their rival’s profit margins. From choice of stock to pricings, store or site layouts and even staff training, everything a merchant does is because customer loyalty is the number one priority, contends the networking chief.
“Never before has the retailer/customer relationship been so vital,” he said. “With the growth of interactive social media and personal loyalty schemes, the retail industry is surging forward in terms of customer experience. Yet with competition so intense and consumers becoming ever more cautious, many retailers are unknowingly, and unnecessarily, putting this tenuous customer relationship into serious jeopardy.”
Security is the elephant in room
The issue is data security, Farmer declared. “There have been plenty of news reports recently of major incidents where customer credit card data has been stolen from well-known retailers. These headlines about hacking and leaks should be ringing alarm bells for big businesses, but small and medium enterprises (SMEs) are often even more vulnerable.
“All merchants need to take data security seriously. Careless handling of credit card details imperils the financial stability and customer base of any business,” he continued. “Yes, there are the obvious damaging financial consequences such as penalties, fines, and the cost of implementing improved security, but the ongoing loss of customer trust and the fear that personal details have been leaked to criminals have more significant long-term consequences. The security of shoppers and their credit card details has been repeatedly shown to be a top concern.”
Farmer urged RetailTechnology.co.uk readers to consider that:
- A global survey found that 50% of consumers worry about credit card fraud, according to ACI Worldwide: Card Fraud Survey, March 2011.
- The same survey found more than a third of consumers in the UK have experienced some form of card fraud
- A survey of consumers in the UK (Connected World: Card Fraud Survey, January 2011) found that 42% had been discouraged from making a purchase because they were worried about card fraud.
“Banks, the credit card companies and retailers have all responded by taking steps to improve security. For example, EMV (chip-and-PIN) cards were introduced five years ago to help reduce the risk of card fraud, but these alone do not secure merchants,” added Farmer.
“Even though the payment cards are more difficult to clone and copy, the card data is still susceptible to breaches while it’s on a merchant’s payment system. In an attempt to secure the whole environment in which the transaction takes place, the Payment Card Industry Data Security Standards [PCI DSS] were introduced in 2006 by the major credit card companies. These standards help ensure that a basic level of security is in place at merchant businesses to reduce the risk of card fraud.”
Making compliance a priority
By now, all UK merchants should be aware of PCI DSS, and many merchants that process, transmit or store credit card data are required to be PCI DSS-compliant.
He continued: “In theory, with these new security standards the retail industry should be a safe haven for consumer data, with criminals forced to turn their attention elsewhere. Instead, a serious data breach happens every week on average and the number of hacking incidents seems only to be increasing. So what’s going wrong?
“For many merchants, PCI DSS compliance has become a bit like setting a house alarm, but using 1234 as an access code. The intention to protect against theft is there, but the execution is poor. Retailers just aren’t giving enough attention to compliance. It’s one thing just to fill out a self-assessment compliance form and tick the correct boxes, which on the surface indicates compliance, but it’s another to keep up to date and be absolutely certain that a business is protected.
“Small and medium-sized businesses seldom consider themselves to be targets for card fraud criminals. But these businesses in particular must be warned; criminals do not only target big organisations. Larger companies are naturally richer targets, however, most have accompanying budgets and an IT department dedicated to protecting their vital customer information. Therefore, as PCI DSS regulations take hold, fraudsters are shifting their attention to ‘softer’, less well-defended targets like small businesses. In fact, nearly 96% of PCI DSS breaches take place with Level 3 and 4 merchants – typically smaller businesses that accept less than one million card transactions annually. Along with satellite branches of larger organisations, these are proven to be the most vulnerable organisations for attacks. According to research from Javelin, cybercrime in the US targeted at SMEs totalled more than $8 billion (£4.9bn) in 2010.”
Matching the scale of Tier 1
Farmer pointed out that it can be very difficult as a smaller organisation to dedicate the time to ensuring proper and thorough PCI DSS compliance. But that doesn’t mean there aren’t options. “Network management systems can be used to make PCI DSS compliance a simple, cost-effective and continual process with minimal fuss,” he said. “At Mako Networks, our focus is on a holistic approach to data security, ensuring every element of the business network is protected from the inside out and relieving the pain of the business owner from having to oversee the technical aspects of compliance on their own. The systems are managed remotely to make sure they are secure and constantly up to date, streamlining the process and taking away stress from the merchant for a minimal cost.”
Farmer concluded: “Nobody said compliance was easy, but compliance is not an option; it’s essential. UK retailers must begin to explore the opportunities, do what’s best for the business, and avoid being next on the hacker’s hit list.”