A recent article in ComputerWeekly trumpeted how UK retailers will be spending more on technology in 2014, noting it is number four on their list of spending priorities. Technology dollars are earmarked for websites, mobile payments and e-commerce platforms. The only reference to security was concern over the cost of data compliance.
No doubt US retailers will be making similar technology investments because that is the direction that consumer preference and mobile technologies are taking them. However, there is another discussion happening in several corners about data security and regulatory compliance. People are putting forth the notion that, rather than considering these a cost, security and compliance are actually investments with revenue-generating potential. And not just any people.
At a recent conference on the payments industry, TRANSACT14, executives from Bank of America Merchant Services, Wells Fargo and Vantiv collectively proffered that the massive data breach at Target may have been a good thing. It produced calls from Congress, consumers and merchants alike for greater security, leading these banks and others to lobby for enhanced security within the payments industry. It was a wake-up call, at least for these institutions, about how critical it is to invest in initiatives that ensure their customers’ data is protected.
There are other people, too … the people who vote with their touchpads. Since the Target et al. data breaches and NSA exposure, technology-savvy consumers have never been more aware or less tolerant of merchants placing their personal data at risk.
The Age of the Customer
Forrester Research, Inc., believes this is an opportunity for merchants to not only capitalize on this heightened attention but to use it to cement relationships by placing customers at the center of security and compliance strategies and investments. In the recent report “CSIOs Need to Add Customer Obsession to Their Job Description” (April 14, 2014) analyst Ed Ferrara wrote:
“Internally focused cyber defense is not enough. Organizations need to build a communications link to customers that addresses their need to understand how you are protecting their information and business relationship. Organizations need to change their entire security model from one of compliance — meeting basic standards for data protection — to one in which they create a complete security program that engenders trust in the customer and allows them to recognize that security and privacy are important features of almost all products and services. Protecting the customer and the customer experience should be security’s No. 1 priority.”
Developments are happening on a more tactical level as well. The credit card industry is finally bringing chip and PIN technology to the US in late 2015. Well, sort of. More like chip and not-PIN technology for the time being, relying still on customer signatures to complete transactions. In a recent Wall Street Journal article, the chief legal counsel of the National Retail Federation (NRF) lamented that implementing card chip technology without PIN is like installing an alarm on the front door of a home while leaving the back door open. Credit card fraud cost retailers and financial services companies more than $11 billion in 2012, according to the NRF. PIN simply makes too much sense to not be implemented.
Taking it to the Streets
This glass-half-full perception of progress and attitude shifts is encouraging. The current reality on Main Street for many small and mid-sized businesses (SMBs) is quite different, however. Network security experts at Fortinet recently sponsored research into the state of compliance regulations, security policies and new technologies among SMB retailers. There is a big disconnect.
More than one in five retailers (22 percent) are not compliant with the payment card industry data security standard (PCI DSS), according to a survey of 100 SMB retail organizations with less than 1,000 employees. An additional 14 percent don’t know if they are PCI compliant. More than half (55 percent) are unaware of their state’s security breach requirements, while 40 percent lack any established policy adhering to those requirements.
According to Fortinet’s Patrick Bedwell, vice president of product marketing, “Despite looming threats and stiff compliance penalties, more than a fifth of SMB retailers are still not PCI compliant, while many are falling short of security best practices like password safety.”
It won’t be getting easier for these merchants. For example, as chip and PIN card use increases, merchants will be faced with something called liability shift. If a merchant requires a customer with a chip card to sign for their purchase because the merchant lacks the appropriate technology then liability for that transaction will fall to the merchant. A merchant with the right terminal technology will not be liable, however, if the bank card used by the customer has no chip; the issuing bank is liable for that transaction.
Help is at Hand
SMB retailers who fall short are placing themselves in an untenable situation regarding compliance and liability, not to mention the rapidly evolving preferences and concerns of their customers. The bar is being placed ever higher and, at some point, it may become unreachable for these merchants.
Resources such as the Peak 10’s PCI DSS-compliant IT infrastructure and PCI DSS-compliant cloud, in addition to its experience and expertise, Peak 10 can get these merchants on the road to compliance and help deliver a more secure infrastructure overall. Peak 10 also offloads much of the burden from those retailers who are PCI-compliant and who want a business partner that can help them stay that way.