QUESTION & ANSWER

Retailers boost data collection, but data privacy issues persist

By Robert Westervelt, News Editor 22 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

How big is the merchandise return problem for retailers?
Sagi Leizerov: There's some interesting numbers coming from the National Retail Federation putting returns at several billions of dollars a year in the United States. We're talking about a fairly significant amount of money that retailers are losing for abuse of policies and other more sophisticated fraud that takes place.

Many retailers are now tracking customers to identify abuse. What kind of information are they collecting and storing?
Leizerov: There is quite a wide spectrum of information and the way the information is collected. On one side of that spectrum we see fairly limited collection to the point where a retailer would just try to create some level of deterrence by asking for an ID, but never really documenting it. The other side of the spectrum is actually taking the credit/debit card number or driver's license number. In between that is other identifiable information that is provided by the customer. Some retailers will ask for household information or a phone number that they could reverse and find an address.

Why would a retailer collect credit card data to identify their customers; especially with PCI DSS rules out there?
Leizerov: It depends and it would vary depending on the retailer and the level of sophistication of the system they are using. With some systems, the credit card number would be all they have available. Some retailers would just use portions of the credit card number and put it in a separate secure part of their system. PCI is an important consideration, but depending on the size of the retail organization and depending on the sophistication of that organization, you would see variations in practices.

You've said not to collect too much information on customers. How much is too much?
Leizerov: It really depends on what the retailer is trying to do, the requirements that exist outside and the privacy laws and restrictions. The idea is not to collect more than is necessary. We should keep in mind that the collection of information may not necessarily be for the sole purpose of tracking returns. Some retailers have a more sophisticated process in place by which they try to track individuals as they make purchases and make returns so they can track that individual over time and understand their interests and the level of profitability coming from that customer. That would influence what is being collected.

You've suggested that retailers consider using outside vendors to collect and retain customer information. Doesn't that introduce security risks?
Leizerov: It's not that we're suggesting, we're noting the fact that some retailers do that. Some retailers do collection on their own;, others use an outside vendor for that. We talk in the report about the considerations that they should use to make sure that the vendor they are considering is a credible vendor that collects and processes information in aand lawful and fair way. And they should put the right security considerations contractually; in some cases even finding ways to track how a vendor complies with their contract over time, including the security obligations.

Is that a trouble spot for retailers?
Leizerov: The whole notion of managing vendors that process personal information has been a growing area of concern and a growing area of attention by companies in general. With breach notification and the increasing risks by which information can be abused, any company, not just a retailer, takes a closer look at how the vendor will process the information on their behalf.

Tags: Data Privacy and Protection,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Data Privacy and Protection Research PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cypherpunk  (SearchSecurity.com) Data Encryption Standard  (SearchSecurity.com) P3P  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary