Retailers on Deadline to Secure Data
By George Anderson
Businesses that accept credit card payments need to secure customers’ personal information from identity thieves by June 30 or face fines as well as the potential for legal liability for their failure, reports The Wall Street Journal.
Retailers are responding to a deadline set by a consortium of credit-card associations representing Visa, Mastercard and others that have issued a set of computer security standards covering all aspects of the card-processing system. This, reports the Journal, includes “databases, e-mail services, wireless access points, Web applications and firewalls that restrict outsiders’ access to internal networks.”
According to the card companies, most retailers have passed audits demonstrating that consumer information is secure but Chris Noell, vice president of Solutionary Inc., which audits retailers’ systems said mistakes are being made as companies scramble to meet the deadline.
In a lot of cases we find some pretty severe issues,” he said. “Everybody’s in a rush to get a clean report they can turn into Visa.”
The urgency of compliance has been made even apparent by the latest report that a still yet-to-be-determined number of consumer records were stolen from Polo Ralph Lauren. This follows similar cases of database theft from DSW Shoe Warehouse, Lexis-Nexis and ChoicePoint Inc.
Moderator’s Comment: What is the state of data security in the retail industry? How do marketers define where the line is between having enough personal
data to better serve customers without exposing them to additional risk?
The WSJ story told of one company’s experience. 3Delta was storing the three-digit “cardholder verification value” on the back of cards so that clients
would not have to enter it with every transaction.
Under the new standards, retailers cannot store this data. Aaron Bills, 3Delta’s vice president of products and business development, said the company asked
Visa for an exemption and were told, “Thanks. We understand your logic. It doesn’t matter. Get rid of it.”
The data was removed in 24 hours said Mr. Bills. –
George Anderson – Moderator
This is where risk assessment becomes the issue. But the mere idea of marketers drawing lines or deciding that they have enough personal data on customers is a total oxymoron. It goes against the very ethos of marketing and it simply isn’t going to happen.
There is no longer any truly safe way of hiding anywhere on the planet, unless you have managed to find a cave somewhere in the mountains surrounded by armed disciples who are willing to give their lives for you. It isn’t even a matter of personal responsibility or choice any more. There are “security” cameras everywhere. Any time you make a purchase using anything other than cash, there is the likelihood that the seller will retail certain details for “your benefit”. Big Brother and Big Sister are out there and they are not heading off to caves of their own. All any individual can do is minimise their risk by adopting a reclusive lifestyle. Other than that, we must accept what is now a fact of life and realise that anyone who wants to know about us and is sufficiently determined to pry can have a field day. I may well be paranoid but that doesn’t mean there aren’t people out to get us all.