How big is the merchandise return problem for retailers?
There's some interesting numbers coming from the National Retail Federation putting returns at several billions of dollars a year in the United States. We're talking about a fairly significant amount of money that retailers are losing for abuse of policies and other more sophisticated fraud that takes place. Many retailers are now tracking customers to identify abuse. What kind of information are they collecting and storing?
There is quite a wide spectrum of information and the way the information is collected. On one side of that spectrum we see fairly limited collection to the point where a retailer would just try to create some level of deterrence by asking for an ID, but never really documenting it. The other side of the spectrum is actually taking the credit/debit card number or driver's license number. In between that is other identifiable information that is provided by the customer. Some retailers will ask for household information or a phone number that they could reverse and find an address. Why would a retailer collect credit card data to identify their customers; especially with PCI DSS rules out there?
It depends and it would vary depending on the retailer and the level of sophistication of the system they are using. With some systems, the credit card number would be all they have available. Some retailers would just use portions of the credit card number and put it in a separate secure part of their system. PCI is an important consideration, but depending on the size of the retail organization and depending on the sophistication of that organization, you would see variations in practices. You've said not to collect too much information on customers. How much is too much?
It really depends on what the retailer is trying to do, the requirements that exist outside and the privacy laws and restrictions. The idea is not to collect more than is necessary. We should keep in mind that the collection of information may not necessarily be for the sole purpose of tracking returns. Some retailers have a more sophisticated process in place by which they try to track individuals as they make purchases and make returns so they can track that individual over time and understand their interests and the level of profitability coming from that customer. That would influence what is being collected. You've suggested that retailers consider using outside vendors to collect and retain customer information. Doesn't that introduce security risks?
It's not that we're suggesting, we're noting the fact that some retailers do that. Some retailers do collection on their own;, others use an outside vendor for that. We talk in the report about the considerations that they should use to make sure that the vendor they are considering is a credible vendor that collects and processes information in aand lawful and fair way. And they should put the right security considerations contractually; in some cases even finding ways to track how a vendor complies with their contract over time, including the security obligations. Is that a trouble spot for retailers?
The whole notion of managing vendors that process personal information has been a growing area of concern and a growing area of attention by companies in general. With breach notification and the increasing risks by which information can be abused, any company, not just a retailer, takes a closer look at how the vendor will process the information on their behalf.