STORES Magazine - October 2008 - (Page S7)

Langdoc asked if the now much-publicized recent security breaches had had a material effect on the panelists’ own activities. “It had a direct impact on Staples,” Dunning said. “Our board members know — or are — people on other boards in the New England area, and they conveyed their concern to the company. This not only changed the viewpoint of our executives on the subject, it impacted the overall culture in the IS organization significantly. Before that, PCI was basically a wrangle with the banks. But then there was a sense of urgency to make sure our own house was in order.” Machones reported that his own board was also involved and supportive. “They’ve been paying attention all along. They get PCI reports at their quarterly meetings, and we also report directly on it to the executive teams and steering committees. It’s the No. 1 project we have.” The panelists were asked what steps they had taken to inform customers about the efforts they were making to keep their data safe. Dunning said he was sideswiped by a team at the Staples marketing department, which dreamed up something called “Security by Staples.” They bundled various security-oriented products — shredders, antiviral software, and so on — and branded them together. They then hired Frank Abagnale Jr., whose exploits were chronicled in the movie “Catch Me If You Can,” as a consultant, and quoted him as saying, “Security is now a Staples product.” “I felt like they’d painted a big red target on my back,” Dunning said, “but then they came to me and asked me to be on the team. Now the consultants we send out to set up home and small-office security systems use the same procedures as Staples corporate.” Social engineering Big challenges The biggest challenge to implementing data security measures, Machones said, is “the wireless system. We’re wireless in the stores, and that was the widest window for the hacker we brought in to test us. We had to deal with it quietly — this is not the sort of thing you want to advertise — and it was scary, because it would have been a big financial hit if we’d had to replace it. We worked with Fujitsu, and they steered us to a supplier that set up a secure e-processing network for us.” The second major challenge was removing credit card numbers from any system in which they weren’t needed. Where they were required they were tokenized (a process that substitutes a randomly generated “token” for all but four digits of the actual card account number), and strict access standards were implemented. Staples set up a separate network for IS and a “data protection service” wherein all credit card information lives. The data protection network uses an aliasing system to communicate credit card information to other applications. Since they’re handling aliases and not real credit card data, these applications are no longer subject to PCI. This, said Dunning, has enabled Staples to focus on that one system, which makes it easier to deal with both security and compliance. When asked how much his company had spent to date on data security, Machones said, “It’s a sevendigit problem.” Dunning declined even to provide a ballpark figure, though he said, “We do know that if we had a breach at Staples, it would cost us $42 million in postage just to notify our customers.” WWW.STORES.ORG Security is not a Maurices product, nor is it a subject the company talks about much. “We’ve not had a lot of customer inquiries,” Machones said, “so we decided to handle it at the store level. The store managers deal with it one-to-one with a customer who asks, letting them know we’re on top of this.” Both IS managers are focusing on what they called “social engineering” — raising awareness of security issues among the staff. Some of this is basic (don’t write your password on a sticky note and attach it to your PC monitor) but most of it is more sophisticated. Staples is conducting briefings with what Dunning calls “trusted individuals,” people senior enough to have access to customer transaction data. They are reminded, fairly frequently, that they are trusted individuals, and that, should something happen, they are among the people whose actions will be scrutinized very carefully. The more IS systems and procedures improve, the better able retailers are to safeguard customer data from outsiders, the greater the likelihood becomes that the next big retail data breach will be an inside job. “We’re trying to get our heads around it,” Dunning said. “We’re thinking about jump drives. We’re thinking about e-mail — we’d like to scan it all, instead of just doing random samples. This stuff is so valuable that it would be worth it for somebody smart to get hired, work for six months or so, become a valued and trusted team member, copy a credit card database and just not show up for work the next day.” Nothing can prevent that, but retailers might be able to make it hard enough that maybe the data thieves will choose to target someone else’s store instead. STORES / OCTOBER 2008 S7 http://WWW.STORES.ORG

Table of Contents Feed for the Digital Edition of STORES Magazine - October 2008

STORES Magazine - October 2008 Contents Executive Editor's Page President's Page Force of a Different Collar What Shoppers Think Bagging the Competition 10 Things You May Have Missed Numbers Worth Counting Full Price/Markdown Retail People Favorite 50 Sticky Strategies for Retention Concept2Watch Kiosks Online Business Intelligence RFID NRFtech Wrap-up E-Commerce Credit Warehouse Systems Logistics Selling Tools Supply Chain LOEB Retail Letter Arts Update Point of View NRF News Retail Crossword Retail Industry Calendar Last Laugh

STORES Magazine - October 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.