Retailers boost data collection, but data privacy issues persist
|To get security news and tips delivered to your inbox, click
here to sign up for our free newsletter.
How big is the merchandise return problem for retailers?
There's some interesting numbers coming from the National Retail Federation putting returns at
several billions of dollars a year in the United States. We're talking about a fairly significant
amount of money that retailers are losing for abuse of policies and other more sophisticated fraud
that takes place. Many retailers are now tracking customers to identify abuse. What kind of
information are they collecting and storing?
There is quite a wide spectrum of information and the way the information is collected. On one side
of that spectrum we see fairly limited collection to the point where a
retailer would just try to create some level of deterrence by asking for an ID, but never
really documenting it. The other side of the spectrum is actually taking the credit/debit card
number or driver's license number. In between that is other identifiable information that is
provided by the customer. Some retailers will ask for household information or a phone number that
they could reverse and find an address. Why would a retailer collect credit card data to identify
their customers; especially with PCI DSS rules out there?
It depends and it would vary depending on the retailer and the level of sophistication of the
system they are using. With some systems, the credit card number would be all they have available.
Some retailers would just use portions of the credit card number and put it in a separate secure
part of their system. PCI is an important consideration, but depending on the size of the retail
organization and depending on the sophistication of that organization, you would see variations in
practices. You've said not to collect too much information on customers. How much is too
It really depends on what the retailer is trying to do, the requirements that exist outside and the
privacy laws and restrictions. The idea is not to collect more than is necessary. We should keep in
mind that the collection of information may not necessarily be for the sole purpose of tracking
returns. Some retailers have a more sophisticated process in place by which they try to track
individuals as they make purchases and make returns so they can track that individual over time and
understand their interests and the level of profitability coming from that customer. That would
influence what is being collected. You've suggested that retailers consider using outside vendors
to collect and retain customer information. Doesn't that introduce security risks?
It's not that we're suggesting, we're noting the fact that some retailers do that. Some retailers
do collection on their own;, others use an outside vendor for that. We talk in the report about the
considerations that they should use to make sure that the vendor they are considering is a credible
vendor that collects and processes information in aand lawful and fair way. And they should put the
right security considerations contractually; in some cases even finding ways to track how a vendor
complies with their contract over time, including the security obligations. Is that a trouble spot
The whole notion of managing vendors that process personal information has been a growing area of
concern and a growing area of attention by companies in general. With breach notification and the
increasing risks by which information can be abused, any company, not just a retailer, takes a
closer look at how the vendor will process the information on their behalf.