By Brian Kilcourse, Managing Partner
12/11/2007
Customer data matters. Customer-specific data enables retailers and their partners to target their product and service offerings with more granularity to get closer to the neighborhoods that their stores operate in and offer solutions that are more relevant to specific consumers. From the customer’s perspective, this in many ways is the way retailing “used to be,” but on a potentially much larger scale. Many retailers now store detailed customer purchase histories, (including payment information) so that they can better understand consumer demand. However, failure to secure consumer-specific data will result in brand erosion and crippling scrutiny from regulatory agencies and financial networks.
The Payment Card Industry, not waiting for government regulation or a proactive response from retailers to the potential risks, has imposed a timeline for compliance to a set of data security standards known as the “PCI DSS” (or simply “PCI”) mandate. Failure to comply has the potential to significantly raise the costs associated with accepting credit cards for payment. Fines and other losses associated with an actual security compromise can be staggering (compliance experts estimate that the fines associated with a compromise can equal $25-35 on a per account number basis).
But the issue goes beyond PCI Compliance. “Compliance” does not necessarily mean “security.”
In a February 2007 study entitled Searching for the True Multi-Channel Retailer, Paula Rosenblum of RSR wrote that while “retailers are diligent about collecting customer information across virtually all selling channels… fully 40 percent of our respondents may collect this data, but they don’t use it…Only 30 percent have the integrated CRM systems needed for effective use of cross-channel customer management.” Although that study indicated that lack of integrated merchandise planning remains an obstacle to multi-channel retailers, there is little doubt that the customer dimension of data is being heavily queried, particularly by Marketing/Merchandising Departments, as RSR’s forthcoming report, Customer Data Security: PCI and Beyond, shows. According to the new report, fully 60% of Retail Winners (those retailers that outperform their peers) allow adhoc queries to customer specific data by Marketing/Merchandising staff, compared to 56% or the total response group. Tier-1 Winners show the most willingness, with 73% of those respondents granting open access of sensitive Customer data to Marketing/Merchandising.
With access capabilities comes a responsibility to ensure that the data is used by only those who have a legitimate business need, and in this regard, survey respondents feel that the PCI mandate to “restrict access to data by business need-to-know” is not particularly difficult. Only 26% of respondents identified this requirement as one of the top three most difficult mandates to comply with.
This result indicates that retailers don’t clearly understand the risk. It has become almost an “urban legend” that laptop PC’s in particular pose one of the greatest threats to the security of customer specific data. Looking at the level of “adhoc” queries allowed to merchants and operations staff, we begin to understand how such access creates risk. RSR’s July 2007 study on Business Intelligence in retail identified that the ubiquitous “spreadsheet” is the most commonly used tool for analysis of customer-specific data. This speaks as much to the state of legacy merchandise planning systems as to retailers’ awareness of the risks associated with uncontrolled access.
The extraordinarily cross-functional nature of the data security issue requires strong leadership coming from the top of the company, since ultimately this is an issue that can negatively affect the company’s brand and its ability to execute on its business strategy. Because these are Boardroom issues, it is frequently the CFO, and not the CIO, who is the target for vendors trying to sell “PCI Compliance” programs and technologies. A comprehensive plan to minimize risk needs to include not only end-to-end security management, monitoring and auditing, appropriate use policies, and a data breach response plan, but also avoidance as the first order of business. Many experts strongly advise retailers, “don’t store it if you don’t need it” as the #1 rule of risk avoidance.
For example, unless a retailer has a loyalty program or a multi-channel offering, there may be little need to store customer addresses (if the retailer doesn’t have customer address in its databases, that limits its liability to notify customers in the event of a breach). The problem with such an approach is that retailers’ marketing and merchandise planning personnel want to use the data- to create the relevant personalized value that consumers are demanding.
Fiduciary, technical, and marketing issues collide to create a witch’s brew of challenges which can go unresolved until disaster strikes. What experts fear the most is that rather than deal with these issues, retailers will adopt a “compliant until compromised” attitude, exposing themselves and their customers to great risk. As one pundit put it recently, “it is the unknown unknowns that will get you.” Many retailers seek to mitigate the risk of data breach with compensating controls such as audits, forensic data logging and analysis, monitoring, etc. Ultimately however, the need to integrate all channels of the business and utilize the customer dimension of data in business intelligence and merchandise planning processes also creates the opportunity to address the core data security problem, if retailers implement systems and processes that proactively control access to sensitive data, rather than merely providing the ability to discover breaches after-the-fact.
The forthcoming Customer Data Security Benchmark Report 2008: PCI Compliance and Beyond, by Brian Kilcourse and Steve Rowen, will be available at www.rsrresearch.com in just a few days. Please be sure to check for the full report soon.
|
