In the retail business, nothing is more important than keeping customers happy. Nothing, that is, except keeping them safe.
It’s every retailer’s worst nightmare: a data breach that leaves the brand’s reputation in tatters and destroys consumer trust. Just ask Target, whose 2013 data breach affecting 40 million customers led to a class-action lawsuit and a $39 million settlement.
As payment systems evolve, hackers only grow more sophisticated and determined. In 2014, there were 138 data breaches involving credit and debit card numbers. Last year, that number grew to 160, exposing nearly a million consumers to potential identity theft and fraud.
So what’s the answer (short of returning to the days of C.O.D. or taking credit card numbers by phone)?
The reality is, consumers want it both ways. They want to pay with the greatest possible ease and convenience, whether digitally in store, online, or through mobile apps such as Apple Pay. This means retailers must stay ahead of the curve—and assume the risk involved—to ensure an outstanding customer experience. At the same time, consumers expect state-of-the-art security and have zero tolerance for risk. They want retailers to do more to protect their data.
Here’s what it takes to deliver on both fronts.
As Threats Evolve, Retailers Must Stay Vigilant
I recently spoke with Zach Zalowitz of SCApath, a consulting firm that specializes in supply chain services and omnichannel commerce and security. He advises retailers to focus their efforts on protecting data from two perspectives: while the information is “at rest,” and while it’s “in motion.”
As we talked, Zach made one thing very clear. Significant investments are required to shore up payment processes and technology—and to update them on a regular basis.
Protecting Data “at Rest”
This refers to safeguarding payment information that resides in a database.
- Data encryption involves using an encryption key and an algorithm to produce a ciphertext. This ciphertext is what is ultimately stored within the database website or order management system database. Encryption alone won’t do the job, however; like the deadbolt on a house, this system of protection is only as effective as the organization’s ability to safeguard the key from outsiders.
- Tokenization refers to using payment tokens, or an exchange of information that eliminates any reference to the original payment information. Simply put: customer data is handed over to a third-party system, which returns an entirely different set of numbers. To get access to the data customers originally provided, retailers must verify their identity.
Both encryption and tokenization are excellent ways to protect customers’ payment information, but they work best together.
Some retailers go a step further, tokenizing payment information before sending it over secure channels and tokenizing the encrypted number a second time. This approach offers one of the highest possible degrees of security.
Protecting Data “in Motion”
Information in transit is equally vulnerable.
- Secure Sockets Layer (SSL) is the leading security protocol on the Internet, and it’s widely used to validate the identity of a website or server. Through the use of SSL, retailers can ensure a handshake between applications is confirmed before information is exchanged. This reduces the likelihood of a hacker intercepting the data mid-stream.
- Point of entry security is paramount. Call center computers must be scanned for the latest keystroke tracking software. For every in-store transaction, payment information must be encrypted immediately from within the payment terminal prior to being transported over secured means.
In addition, in-store payment terminals should be regularly audited to make sure modified credit card readers have not been fitted over the original terminal. Although small in scale and labor intensive, this method of stealing credit card information is used at retail stores, ATMs, gas station pumps, and everywhere else credit cards are scanned.
The Customer Experience Should Offer Reassurance
In a recent survey of retailers, 50% indicated they are investing in employee security training and awareness programs. Here’s why the other half need to get on board.
Most consumers know little about data security. Even if they’re curious, they’re unlikely to know which questions to ask. They assume the brands they shop care as much about their safety as they do their satisfaction and are doing everything possible to keep payment information safe.
This is the way it is for most customers, and it’s the way it should be. It’s the retailer’s responsibility to have the utmost protection in place.
But there’s another imperative here: making customers feel safe. This means keeping them informed. Outlining the brand’s security focus and protections. Arming associates and call-center personnel with the knowledge they need to answer questions. Rather than raising doubts in consumers’ minds, this kind of transparency can only strengthen brand loyalty and trust.