In May this year US retailer Target reached an $US18.5 million ($24.78 million) settlement with dozens of US states over a 2013 data breach. The hackers stole data from over 41 million credit and debit card accounts and exposed the contact information of more than 60 million customers.
While the Target case is an extreme example, any business that accepts cashless payments, in-store or online, is vulnerable to security breaches. And as cashless payments become more popular with customers, who appreciate the convenience of technology like tap-and-go and mobile wallets, it’s more important than ever to ensure your business is protected.
What is a data breach?
Before you can protect your business, you need to know what you’re protecting it from. A data breach occurs when information held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
A new bill passed by the federal government earlier this year, which will take effect by February 2018, makes it mandatory for businesses with an annual turnover of more than $3 million to report such a breach.
Failure to comply with the new notification scheme will be “deemed to be an interference with the privacy of an individual”. Serious or repeated interferences with the privacy of an individual will attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
Aside from the financial impacts—Target estimated the total cost of its data breach to be $US202 million—not protecting your customers’ data can also damage your brand reputation and lead to a lack of trust.
According to Verizon’s 2017 Payment Security Report, 66 per cent of consumers are unlikely to do business with a company that has had a data breach. Ashish Thapar, Verizon managing principal – investigative response, told Retailbiz retailers need to be aware of the risks that come with storing customer information like credit card details.
“At the end of the day, if the data is not protected it’s not a question of if, it’s a question of when [a breach will occur],” he said. “Organisations must be in a state of mind to assume a breach will happen, rather than taking a head in the sand approach.
“Things like damage to your brand reputation are irreversible—your name gets in the media, there’s social media hype—so you better be prepared rather than sorry when things go wrong.”
How can you protect customer data?
Protecting customer data shouldn’t be anything new to retailers. If as a business you accept, process, transmit or store cardholder data, then you are required to comply with the Payment Card Industry Data Security Standards (PCI DSS). All business, no matter the size, must comply with the PCI standards if they plan to accept and process payments via credit or debit card.
Verizon assesses organisations’ PCI compliance and in its report the company looked at how four industries—financial services, hospitality, IT and retail—stack up when it comes to safeguarding customer data. It found that less than half of retail organisations achieved full compliance.
Ferdie Delos Santos, Verizon senior manager – security assurance APAC, told Retailbiz there are a number of factors inherent in retail that make compliance more difficult.
The most challenging issues for retailers are: protecting stored cardholder data; authenticating access, for example assigning a unique username and password to each user; and maintaining a policy that addresses information security for all personnel.
“Looking at these three aspects, by its nature retail will have difficulty sustaining them,” said Delos Santos. Authenticating access is particularly difficult as teams often share login credentials to access stock management systems.
“Retail outlets come in different sizes, big and small, and they might not know what privileges are needed for each user. In more than 82 per cent of total incidents [assessed by Verizon], stolen credentials were at the root cause of the breach.”
Both Thapar and Delos Santos said they would advise retailers to avoid storing data all together. “For example ecommerce merchants can use a third party service provider to ensure redirection, meaning data is only collected by the third party,” Thapar said. “This helps mitigate risk.”
If retailers do need to store customer data, it is vital to keep it to a minimum and be totally aware of what you store. “We advise retail outlets to know what data they store, process and transmit,” said Tharapar. “They need to know where the data is located…
“Retail organisations must put in place very strong risk management and governance controls to evaluate if they need to store data and, even more importantly, they should have strong PCI compliance with sustainable controls,the right resources, roles, skillsets, processes and technology.”
Want the latest retail news delivered straight to your inbox? Click here to sign up to the weekly retailbiz newsletter.