STORES Magazine - October 2008 - (Page S6)

DATA SECURITY Protecting Customer Information: a Reality Check While it is essential for retailers to comply with Payment Card Industry standards, mere compliance is not enough to ensure that consumer information will be adequately protected. This was the point driven home at a heavily attended panel discussion on retail data security. Panelists were Christopher Dunning, director of IS and enterprise information security for Staples, and Mike Machones, vice president for IT and logistics for the Maurices division of Dress Barn. The moderator was Scott Langdoc, vice president and research and business leader for Global Retail Insights. Langdoc opened with a review of his firm’s recent research on retailers and data security, which he boiled down to seven key findings. card stripe, but they will arise, and the industry will have to deal with them. General approach Langdoc asked the panelists to characterize their companies’ general approach to data security. At Staples, Dunning said, “we’re working hard to define what we need to protect. Our basic strategy was, ‘Let’s get rid of data.’ We use customer information to process transactions, of course, but we also use it to understand our market. Our approach is, if we have an application or function where we don’t need a certain kind of data, let’s just not have [the data] there in the first place.” Machones noted that at 650 stores, Maurices is a relatively small retailer. “We’re package integrators,” he said, “and we go to PCI-certified consultants for help.” Three or four years ago, he said, Maurices didn’t regard data security as a significant issue. “We were a private company, and our systems auditor said we were in good shape. We were self-contained, we didn’t go out to the Internet and we didn’t see ourselves as at risk.” Then the company was sold. The first major IT chore following the acquisition by Dress Barn was becoming compliant with the Sarbanes-Oxley requirements. “We thought that was hard until we started on PCI,” Machones said. “PCI is like Sarbanes on steroids.” After working with a PCI consultant and becoming compliant, Machones brought in a hacker and asked him to try to break into the Maurices system. That was when he found out what he was really up against. “The hacker could easily come in through our wireless system and get into the stores network. He also managed to breach the corporate network, which until I saw him do it I thought was secure. Not only that, he managed to hack into one of our analysts’ computers while they were both open. We were shocked.” WWW.STORES.ORG Research results Retail IT spending on security and PCI compliance is usually not incremental, particularly in an economy like this one. It’s a zero-sum game; the money is being taken from some other IT program — which, he noted, was pretty much the case with Y2K and SarbanesOxley compliance. Compliance does not equal security. Retailers that take a “foundational” approach to managing security technology and processes are at much lower risk. Langdoc advocates building data security into overall system design, not simply tacking it on somewhere. Relationships among card issuers, transaction processors and retailers will continue to be driven by acrimony, not collaboration. Financial issues aside, there are some basic communications problems; peace is not going to break out any time soon. The mainstream press remains relatively clueless about PCI. “We can’t control this,” Langdoc said, “so we have to manage through spin control and PR. I don’t see it improving.” A somewhat related problem is the threat posed to the public’s perception of industry performance in this area by the growing risk of security breaches by small to medium-sized retailers. New payment technologies will both help and hurt retail security and privacy strategies. This is inevitable, said Langdoc. Security issues surrounding contactless technologies and similar innovations may not be as severe as those associated with the magnetic creditS6 STORES / OCTOBER 2008 http://WWW.STORES.ORG

Table of Contents Feed for the Digital Edition of STORES Magazine - October 2008

STORES Magazine - October 2008 Contents Executive Editor's Page President's Page Force of a Different Collar What Shoppers Think Bagging the Competition 10 Things You May Have Missed Numbers Worth Counting Full Price/Markdown Retail People Favorite 50 Sticky Strategies for Retention Concept2Watch Kiosks Online Business Intelligence RFID NRFtech Wrap-up E-Commerce Credit Warehouse Systems Logistics Selling Tools Supply Chain LOEB Retail Letter Arts Update Point of View NRF News Retail Crossword Retail Industry Calendar Last Laugh

STORES Magazine - October 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.