Data protection and privacy is a hot topic right now following the recent Facebook scandals and numerous other data breaches. More than ever, many shoppers are hesitant about giving away information they do not need to.
While the switch to EMV chip-based credit cards has helped reduce credit card fraud at the point of sale in 2017 by 66% according to Visa, it is surprising how many retailers (enabled by software companies) are still storing credit card data and sensitive customer information locally - a hacker’s dream. Technology continues to advance to help prevent the stealing of information, but it is still the responsibility of the retailer to make sure their shoppers are not at risk.
Protecting Point-of-Sale Data
Retailers should start by making sure that they have secure in-store protection for their point of sale (POS) system. Ideally, the solution will at least utilize point-to-point encryption (P2PE) which encrypts card data right at the payment device. This data is sent to the gateway, and then on to the merchant processor, without any sensitive data ever touching the POS software or merchant’s environment. Superior to P2PE is end-to-end-encryption (E2EE). Similar to P2PE, one vendor (such as Square) provides their own payment devices connected directly to their merchant processing facilities. With less moving parts, E2EE represents the highest performing and most secure payment processing technology available today.
What is important is that both P2PE and E2EE put the POS software itself out of PCI scope and helps a merchant more readily maintain PCI compliance.
Beyond direct PCI concerns, it is also best practice to secure customer and transactional information. Phone numbers, addresses, purchasing habits and other customer data can be exploited to almost the same extent as credit card data. Rather than storing this data on PCs, local servers or servers placed in a datacenter, native Apple-based solutions (Such as SuitePOS) are generally virus free and impenetrable due to the way data is encrypted in the keychain and PIN/biometric authentication. Coupled with a modern, multi-tenant cloud-based solution as a service on the back-end (NetSuite and Salesforce are two examples) ensures superior protection of this data.
Switching to a proper multi-tenant back-end platform provides retailers the benefits of the latest technology and industry best practices for customer data security. As always, even with the most modern mix of technologies, it is important to conduct routine audits and tests to ensure that the POS and backend systems have the level of security needed to protect data.
Protecting eCommerce Data
Consumers are sharing more data than ever through online shopping and social media. So many consumers are opting to do their shopping online as opposed to brick and mortar because it is extremely convenient. For this reason, online retailers have taken steps to make the shopping experience faster and easier by storing a card on file for repeat purchases.
Even though getting off the couch while shopping online to go get your credit card is not the best experience, retailers need to keep in mind that this convenience can cost much more than the two minutes it takes for the shopper to grab his wallet.
The best thing for online retailers to do to protect their eCommerce customer data is to not store credit card data themselves, and enforce strong password requirements. For those who do choose to store information, it is important to make sure that data is encrypted and tokenized
Another way to help protect customer privacy is to keep your eCommerce separate from social media. Often times, online retailers allow their customers to sign up for their shopping account via Facebook or Google. Again, this is convenient for shoppers who do not want to take the time to create a separate username and password, but it puts customers at a higher risk of having their data unintentionally shared. For instance, Facebook users that recently had their profiles linked to third party apps and accounts, suffered from more of their private data being shared, than those who did during the Cambridge Analytica scandal.
Final Thoughts
Unfortunately, a data breach or cyber attack can happen to anyone, but there are many steps that retailers can take to prevent it from happening to them. It is a retailer’s responsibility to not only protect themselves, but also their shoppers by investing in and modernizing their processes in-store point-of-sale and ecommerce solutions.
For More Information on SuitePOS