Retailers’ Ostrich Approach To Consumer Data

Written by Evan Schuman
September 4th, 2006

A major analyst firm will soon report that most retailers still do not have a formal incident response plan for consumer data security. The most likely reason: such a plan would tell retailers things they don’t want to hear.

Despite a veritable avalanche of negative publicity for companies this year that got caught with improperly-handled consumer information, preliminary findings from the Retail Systems Alert Group show that most retailers do not have anything formal to deal with protecting confidential consumer details.

One of the authors of that report, Steve Rowen, who also serves as the senior editor for the group’s Extended Retail Industry Journal publication, said there are many possible excuses for the absence, but it needs to change.

“It’s a little unnerving. Most retailers are talking a great game about securing customer data but, for whatever reason, whether it’s budgetary or the difficulty of an internal sell, they are not doing what they should be doing about it,” Rowen said. “There’s a disconnect between line of business and IT on this particular matter. When we have these conversations, most people say, ‘Well, we want to stay out of the headlines.’ From the research we’re doing, it doesn’t appear as though the proper measures are being taken to do so. It seems to be getting a lot of lip service and not a lot of action.”

Rowen cites several reasons, including cost (“there the lack of an apparent ROI in security data”) and a retail IT desire wait as long as possible. Many retailers told Rowen “We’re simply going to react once there’s a reason to react.”

Listen to Rowen and others discuss this during last week’s StorefrontBacktalk’s Week In Review.

A much more likely?although discomforting?scenario is the ostrich strategy. That’s where senior retail execs bury their heads in the sands of meetings, hoping they’ll be invisible to security threats.

Why would they retail IT execs do that? They know that any reasonable data security and privacy policy would set stringent restrictions on how data can be used, how long it can be stored and how many people can have access to it. The longer such a policy is delayed, the longer the data can be used in whatever way IT and Marketing feel like using it.

This is not to suggest a deliberate conscious decision, but more of a convenient avoidance for as long as physically possible.

Greg Buzek is the president of retail consulting firm IHL and he equates the retail data privacy approach for avoiding a physician visit.

“It’s kind of like going to the doctor. If you’re fat, you don’t want to go to the doctor because you’re afraid of what the doctor is going to say or the labs are going to say, even though you’re the very person who should be going to the doctor,” Buzek said. “That kind of effect occurs here when it comes to retail data security. ‘Man, if we go into this and we really dig into this, are we ready to find out what we will find out?'”

Some of this avoidance can be seen internally, when the warning calls of technical managers are consistently, repeatedly and inexplicably ignored. “Whether it’s an IT employee or someone in network engineering, they’ll tell you that they see the value, that they have certainly been shouting warning calls within their organization, but that the warning is falling on deaf ears,” Rowen said.

Another reason for the security problem is that the amount of data being gathered today is far greater than had ever been anticipated by the designers of the security systems being used today.

“A truism in retail is that the only thing that grows faster than the proliferation of systems is the amount of data that is being collected, stored and manipulated throughout the chain. It’s hard to get a handle on where all of that data is,” Buzek said. “It gets taken off a variety of different systems and stored in things like Excel sheets and those Excel sheets are all over the place. This mass retailing effect over the last 10 years simply has grown these businesses much farther than security could handle. The proliferation of data and the proliferation of employees and how many people are touching the data and Internet to the stores and everybody having Internet at their desks and access to all these systems, all of that has simply gone way past what the security process is.”

Rowen agrees that the sophistication of today’s data collections has fallen far short of the capabilities of today’s data management systems. To state the obvious, IT can’t protect data it can’t find.

“The amount of data being collected is unfathomable. The real problem is ‘Where is it?'” Rowen said. “I think that an awful lot of times, retailers are caught not really knowing what their own systems are, whether their motivation for not attacking this is a fear-based thing or a cost-based thing or a communication-based thing, it doesn’t change the fact that there is a breakdown and a high level of siloed storage of this type of data.”

The data problem becomes part of a vicious cycle of a growing retail segment, with mega-chains like Wal-Mart forcing the decisions of other retailers.

“When you have data that grows exponentially and staffing that doesn’t grow or even shrinks, it causes quite a problem on the security front. That’s effect of a Wal-Mart taking over so much of a marketplace,” Buzek said. “Everybody else is reacting to that and many are reacting by cost-cutting. When you cost cut, one of the first things that goes is security.”

It seems that many retail execs need powerful fear-based reasons for setting strict security and privacy policies. OK, here are a few. A company today doesn’t even have to get attacked by a criminal hacker to be devastated.

As the Veteran’s Administration and others have recently learned, all that’s necessary is for an employee to take files home and be burglarized or perhaps take some disks and a laptop to the airport and lose the company property there. Whether the cause is criminal versus careless, spying versus sloppy or blackmail versus bonehead, the publicity from a reach can cripple a retailer’s reputation. And the media is in love with high-profile data problems. That’s Fear-Based Reason One.

Here’s Fear-Based Reason Two: competitive differentiator. In the same way that a handful of retail chains are using customer service as a differentiator to battle larger chains, it’s only a matter of time before a major chain will position themselves as the consumer protector. They’ll have a privacy policy and do commercials and news releases whenever they wipe out consumer data. With paranoia as their ally, they’ll make their rival’s lack of policy into a lack of caring. It may sound crazy, but is it any crazier than a retailer focusing on customer service? After all, most retailers see themselves working for the consumer goods manufacturers instead of the consumers. They see themselves as distributors of products and they make money off of product placement.

Having strict data control policies is not merely the right thing to do, it’s also the safe thing to do.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.