• Buzz
• GreenTalks
• Classifieds
• Industry Calendar
• Article Archive
• Media Kit
• Reader Service
• Subscribe
• Young Retailer Award
• Survey

Search Our Site:

Published:4/1/2008

The odds of being struck by lightning in a lifetime are 1 in 5,000, but even though a person is unlikely to be hit, it’s still not a good idea to fly a kite in a thunderstorm. In the same way, data breaches aren’t going to occur at every retail location, but that doesn’t mean your garden center should be lax about data security.

Some thieves want more than merchandise from the shelves; they also want retail customers’ credit and debit information. A data breach at retail occurs when an unauthorized party accesses confidential customer data, including credit and debit account numbers and other personal information. Those who access that data can use it to make fake credit cards, fraudulently purchase goods and more. A data breach is a costly problem that damages a store’s reputation with consumers, but thankfully there are steps you can take to improve your data security.

Scope of the Problem

It’s difficult to estimate how many data breaches occur annually. “Most data breaches never reach the public,” says Red Gillen, senior analyst at Celent LLC, a Boston-based research and consulting firm. “Retailers don’t want anyone to know.” Despite this reluctance, some major breaches are publicly reported.

Framingham, Massachusetts-based TJX Cos., operator of TJ Maxx, Marshalls and other retail stores, had inadequate security safeguards in place when a data breach occurred in January 2007 involving 89 million credit and debit card numbers. The breach proved costly for TJX: The company announced in November a settlement agreement with Visa Inc. and Fifth Third Bancorp, the acquirer for TJX stores in the United States and Canada, to fund up to $40.9 million in breach-related costs.

Becoming Compliant with Standards

The Payment Card Industry Security Standards Council is an independent organization founded by five card brands—American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa—to develop and maintain security standards for the payments industry. Among the standards the council oversees is the Payment Card Industry Data Security Standard (PCI DSS), which includes requirements for security management, policies, procedures, network architecture, software design and other protective measures.

Data security compliance deadlines, fines and procedures vary by retailer size. The payment brands, and not the security council, are responsible for enforcing the PCI DSS and other security standards and do so through fines and other enforcement methods.

Visa, for instance, separates its merchants into different levels based on number of Visa transactions processed annually. The brand announced in October that 65% of its Level 1 U.S. merchants, which process 6 million or more Visa transactions annually, are PCI DSS compliant, up from 36% in December 2006. Compliance for Level 2 merchants, which process 1 million to 6 million Visa transactions annually, grew from 15% in December 2006 to 43% in September.

Visa’s compliance requirements and deadlines vary by merchant level. Celent’s Gillen suggests smaller retailers consult with their merchant acquirer service to ensure they’re doing everything they can to maintain data security. The PCI council recommends merchants become aware of the types of information they store.

“The best way to protect payment data is to eliminate the storage of any unnecessary information. The less data you store, the less there is to steal,” says Bob Russo, general manger of the Wakefield, Massachusetts-based council. He adds, “Any stored data should be protected in accordance with the PCI Data Security Standard.”

The PCI standards, while a step in the right direction, still can be improved upon to help prevent data breaches, according to the National Retail Federation (NRF). Credit card companies typically require retailers store card numbers for up to 18 months, which creates an incentive for hackers to try and breach retailer data, according to the NRF.

Know The Costs And Benefits

The retail industry invests hundreds of millions of dollars annually in systems and procedures to protect card data, and much of the money goes toward PCI compliance, according to the NRF. Becoming compliant can include paying for onsite audits, new technology and ongoing maintenance and review.

Compliance costs vary by merchant, extending from the low thousands up to the seven-figure range depending on the complexity and size of a merchant’s network, depository, number of locations, technology systems and other factors, according to “PCI Compliance: Finding Value Beyond Fine Avoidance,” a study from Pleasanton, California-based Javelin Strategy & Research, a research and consulting firm.

But while merchants must expend time and money to keep data secure, they’ll find consumers look favorably on retailers working to keep cardholder information safe. Average consumers don’t know what PCI is, but they understand data breaches and identity fraud. A survey of more than 400 consumers by BitArmore Systems, a provider of data control software, found more than three of every four shoppers are concerned about companies losing credit card information to hackers.

Consumers are concerned about data security and are willing to support retailers that are security leaders, according to the Javelin study. “Consumers have a greater propensity to shop merchants who they know are security leaders. Forty-seven percent are more likely to continue shopping at a merchant if they know that merchant is dedicating resources to protecting their personal information,” says Rachel Kim, associate analyst with Javelin and an author of the study.

As long as there’s a way to make money from it, thieves always will attempt to steal consumer information, but with awareness and vigilance, you can lower the chances of your garden center’s data being breached.

Meghan Boyer is a freelance writer based in Chicago. She can be reached at meghan_boyer@yahoo.com.

12 Steps to More Secure Data

The Payment Card Industry Data Security Standard, governed by the Payment Card Industry Security Standards Council, Wakefield, Massachusetts, includes requirements for security management, policies, procedures, network architecture, software design and other protective measures.

The standard’s core is a group of principles and 12 requirements:

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

Visit www.pcisecuritystandards.org for more information on the council’s security standards.

Source: Payment Card Industry Security Standards Council