Industry View: Beyond the Breach: A Loss of Trust
Information from a 2013 Federal Reserve Payment Study showed that in 2012, more than 73 billion transactions occurred using credit cards or debit cards. Each of these payments occurred with an unspoken trust between the customer and our retail companies.
Customers trust that they can use our convenience stores with confidence, knowing that no unauthorized person or organizations will be able to breach our security procedures and violate that trust. The recent credit-card data theft at Target is a striking reminder of how tightly our brand name is tied to the trust of our customers and how it can be shattered in an instant with the loss of our customers’ data.
Our customers have expectations of a brand’s safety and quality. They desire a clean, safe atmosphere in which to shop. Beyond the physical, they also want to know we are protecting them from credit risks. While all locations that accept credit and debit cards are exposed to theft, we have increased risk through not only multiple card readers in stores but also through the card readers in dispensers at each of our locations.
A recent NACS article estimates that 72% of all motor-fuel purchases are made with plastic, but that number can increase as the price of gas rises. The large volume of transactions at these predominantly unmanned external card readers can be attractive targets for skimmers trying to create an access point to another person’s account or to create another card to be used by the perpetrator.
This risk needs to be acknowledged as a reality for each organization. Consider the Target brand, one of the most respected brands in retail. The company has great stores and people, and highly developed data systems and data mining. Yet according to Target’s website, 70 million people may have had their information breached. The reality is: If it can happen to Target, it can happen to you.
What can you do to protect your customers and your brand?
▶ Take the risk seriously.
▶ Develop a security plan. PCI compliance is a good method, but even good security methods can get hacked. Think beyond your security plan.
▶ Create a disaster recovery plan specifically for a data breach. Include all aspects, including public relations, internal communications, possible brand impact, etc.
▶ If a breach occurs, report it and communicate immediately. It does not go away if you bury your head in the sand. Your customers want your acknowledgement that something happened, including the short- and long-term implications. Tell them how you will fix it.
▶ Discuss data security with your store personnel. If you don’t show that you care, no one else will care. Lead by example.
▶ Evaluate the current situation. If credit-card security comes up last on your senior leadership meeting agenda, it is not a priority.
Here are six categories identified for Payment Card Industry (PCI) compliance:
▶ Build and maintain a secure network. What is your firewall configuration to protect data? Do not use vendor-supplied defaults for system passwords and security.
▶ Protect cardholder data. Protect data that you store and encrypt transmissions of cardholder data across public networks.
▶ Maintain a vulnerability management program. Update antivirus and maintain secure systems and applications.
▶ Implement strong access control measures. Restrict access to cardholder data (need to know). Assign unique ID to each person with computer access.
▶ Restrict physical access to cardholder data. Control the data room and your back rooms if a computer relays information to your office or the data company.
▶ Regularly monitor and test networks. Track and monitor access. Test security systems and processes.
▶ Maintain an information security policy.
I confess that as a c-store executive, I viewed this as less important than many of my other responsibilities. I was involved with PCI compliance, but only as little as possible. We had strong IT professionals who made up for my ineptness on the issue.
The industry is taking the lead with testimony to Congress and explaining the responsibilities of banks, credit-card companies and the retailer. The convenience-store industry will be part of the solution.
Protect your brand. Make this your concern.