By Steve Rowen, Partner
3/4/2008
The events of September 11, 2001 brought the topic of terrorism front and center. And while tremendous value always results from intelligent discussion of a core problem and possible solutions, do you feel any safer? Conversely, the TJX breach, while not life threatening, brought the topic of customer data security front and center. Like 9/11, it was a potential catalyst to bring about much-needed reform. But as the story has played out, are customers any safer?
I am not in anyway drawing comparisons between human life and sales of retail goods. Instead, I use the example to point out how entirely possible it is to recognize a problem, truly desire to solve it, but due to a lack of core understanding, ultimately make matters worse. As my partner Brian is fond of saying, “The road to hell is often paved with good intentions.”
With all the talk about data security and the fuss over TJX’s massive data breach, potential opportunities have been overlooked. One such area that presents tremendous opportunity for retailers is online fraud detection and prevention. Our recent Loss Prevention report shows that retailers still view fraud detection as a traditional component of stop-loss initiatives. In fact, modern fraud detection and prevention tool sets offer a more practical ROI: a chance to mitigate fraudulent transactions from bad guys overseas and consequently avoid complicating (and potentially losing) legitimate sales.
In the case of the customer data security, the TJX breach should have been an opportunity to drive a point home. The card brands had already begun hard talk surrounding the pre-established PCI DSS. Beginning in January of 2007, all retail eyes were on TJX to see just how harsh the cost would be, and retailers scrambled to get their own affairs in order to insure they didn’t become the next big breach.
But the card brands ultimately balked. Deadlines for PCI compliance were extended. Class action suits by customers and banks proved to be more annoyance than substantial pain points for the retailer. To top things off, in an entirely unrelated but somewhat ironic twist of fate, the lagging US economy (somewhat attributable to a $2 billion a day war) actually caused customers to tighten the fashion-compartment of their wallets: just like before, TJX, (and other off-price retailers), actually saw its stock rise significantly during the breach and its “fallout.”
Truth be told, TJX did pay real money out of its own pockets, and was the first retailer ever be held accountable for a data-negligence issue. For that reason alone, it is safe to assume that the next retailer to incur a well-publicized data breach will likely shoulder even more of the blame/financial responsibility for employing 20th century security technology. Yet the roughly $100 million price tag to TJX (partially funded by insurance companies) seemed to underwhelm most onlookers. In fact, our research continues to show that for the majority of retailers, the TJX event has thus far proven data breaches a “pay the ticket and go home” matter.
So the question remains, what will make customer data security initiatives more successful? We believe that like the war on terrorism, small victories are the key to long-term success.
Retailers who understand that the PCI DSS has never been the end-goal have always had a greater understanding of the need to secure customer data. While payment data is an integral component, the customer (and the employee, for that matter) has entrusted the retailer with more than just the magnetic stripe of their credit card.
This notion is strengthened by the fact that our research consistently shows us that winning retailers are not only looking at securing payment data, but rather at customer data as a holistic dimension deserving of proper protection. And while only time will tell what legal and industry fines will force the hand of laggards to protect payment data, one small victory that seems well within reach is to focus on maximizing genuine sales in a downtrending economy.
What do you think?
|
