Lock it Up

June 30, 2007  by in UnCategorized   

By Home Furnishings Business in Retail Technology on July 2007 Securing the business at a traditional, brick-and-mortar furniture storefront business boils down for the most part to pretty basic issues. Those include physical losses such as shrinkage through employee, customer or organized theft; and financial tampering.

Video surveillance might help prevent the first, and regular audits and controls offset the second. Taking the store to the Internet raises the stakes, though, dragging in the issue of protecting consumer information as well as the retailer’s business—along with as the need to guard the network against problems such as Web-born spam and viruses.

With merchants gathering a shopper’s credit card number and other delicate data, unscrupulous but savvy e-criminals want to use the Web to access that info.

Just ask TJX Companies—whose retail brands include T.J. Maxx, Marshalls, Winners, Homesense, T.K. Maxx, A.J. Wright and Bob’s Stores—which suffered a huge data breach uncovered and announced in January.

The breach involved the portion of TJX’s computer network that handles credit card, debit card, check and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada.

In the first quarter of fiscal 2008 alone, TJX recorded a charge of around $12 million, or 3 cents a share, to cover the cost of investigating and containing the breach, including enhancement computer security and systems, customer communication, and technical, legal and other fees.

The company expects to record another 2 to 3 cents a share in second-quarter charges related to the intrusion.

‘Smart Bad People’

“There are some very smart bad people out there, people trying to access credit card information,” said David Hogan, senior vice president and CIO of the National Retail Federation. “All too often I talk to people who identified credit card fraud.”

While identity theft is a buzzword among consumers, credit fraud is the most common data security problem when dealing with the Web, said Hogan, who directs numerous internal and retail industry IT initiatives and manages NRF’s CIO Council, a committee of retailing’s most prominent chief information officers. He also provides oversight for the Association for Retail Technology Standards.

Hogan spent his entire career in retail prior to joining the NRF. His experience includes serving as vice president and chief information officer of international retailer, Duty Free Americas; and has held senior level positions with The Limited Inc., serving as CIO for the company’s Lane Bryant division and vice president for specialty footwear retailer, The Kobacker Co.

“You have several levels of protection,” he said. “First, the appropriate level of security based on who needs to use a particular part of the system, payroll for example. You also have file or data-base security as well. There’s software that will flag when an individual tries to access X-file on X-date at X a.m., that is when somebody tries to tap your perimeter, someone unauthorized is trying to tap your systems. Then there’s storage protection of customer data while it’s resident in the retailer’s system.”

Retailers should work with a qualified security analyst to establish and verify the security of their databases.

“And no matter what you do, have someone come in and do an audit of your system’s security,” he said. “Perform perimeter testing of e-Commerce sites and internal systems.”

Credit Card Security

Credit card companies themselves are leaning on major retailers to beef up database security, pushing for compliance with the PCI Data Security Standards, a series of 12 steps and procedures (see accompanying sidebar) governing security management, policies, procedures, network architecture, software design and other critical protective measures. This standard’s goal is to help businesses take proactive steps to protect customer account data.

The PCI Security Standards Council, a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection, was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

PCI DSS is subject to ongoing development. Its current version—the original is dated January 2005—became effective Jan. 1 this year.

On the Legislative Front

When it comes to potential federal laws governing data breaches, NRF urges distinction in types of consumer information retailers hold.

As Congress examines potential regulations to establish a national data breach notification standard, the National Retail Federation holds that any new federal law should recognize the fact that retailers usually do not possess the private consumer data needed to commit identity theft.

“A uniform national data breach standard with strong preemption is the only way to ensure that all consumers are treated equally,” said NRF Senior Vice President and General Counsel Mallory Duncan, who testified in June at a House Small Business Committee hearing on data security legislation’s impact on small businesses. “(It) would also lessen the compliance burden for all businesses and allow for one clear notice to be given to all affected customers. Current state laws are generally written to cover residents of that state, not businesses that conduct business there. This means that under the current patchwork of state laws even small businesses could conceivably run into a multi-state compliance burden just by having customers from another state.”

Duncan said retailers typically possess the names and credit card numbers that make credit card fraud possible if breached, but not the Social Security numbers and other detailed information needed to commit identity theft. While identity theft can be difficult to resolve, most fraudulent credit card charges can be easily erased under the Truth in Lending Act requirements and other federal law, he said.

“The distinction between true identity theft and credit card account fraud is very important,” Duncan said. “For most businesses, the most sensitive piece of customer information they posses is a credit card number. A data breach resulting in the loss of a credit card number may at worst lead to credit card fraud, which is easily detected and resolved, and not the more insidious crime of identity theft. As a result, legislation should treat the breach of account information differently than the breach of more sensitive data.”

The NRF has supported the Federal Trade Commission’s proposed “significant risk” standard rather than “reasonable risk” standards that it fears could lead to over-notification and desensitize the public to cases that could pose a real risk.

Duncan said any legislation on data security should take into account both the type of data held by different businesses—not imposing the same requirements on retailers, for example, as on financial institutions, which hold a full array of personal data—and also their size.

“For data thieves, it literally is a numbers game,” Duncan said. “They go where it is efficient to gather the greatest amount of useful electronic information. Most small businesses do not generally store these large caches of sensitive information that the thieves most value.”

Similarly, extending data security laws to paper documents is unnecessary because would-be identity thieves are not likely to steal large quantities of paper documents when they can more easily acquire the data electronically, Duncan said.

Duncan said legislation requiring retailers who suffer a data breach to reimburse banks for the cost of reissuing credit cards is not needed because merchants’ contracts with credit card companies and banks already require the party responsible for a data breach to cover associated costs.