By Brian Kilcourse, Managing Partner
9/23/2008
A couple of weeks ago, my partner Steve Rowen commented in a Retail Paradox Weekly column about TJX Vice Chairman Donald C. Campbell’s recently published statement that “the ‘cure’ to the data breach blues is Chip & PIN technology.” Regardless of the relative merits of that statement, it is clear that many companies who capture and use customer-specific information began doing so with eyes wide shut (from a privacy and security perspective). As one compliance assessment company CEO said to us a year ago, many retailers had a “compliant until caught” attitude. But now the audits are real with real consequences. Like the old comic strip used to say, “There oughta be a law.”
As for the technology that Campbell mentions, “pin & chip,” it has been in use for many years outside of the U.S. and particularly in Europe. And as the executive suggests, it is proven to be harder to hack. The cost? According to the Boston Globe article that quoted Campbell, “Such an upgrade would likely cost billions to introduce in the United States, industry specialists estimate, including around $2 for each new credit card and up to $500 for each of merchants' 12 million card readers. TJX alone could spend as much as $20 million, Campbell estimated.” You can be certain that as with all the other costs associated with fixing the issue for the consumer, the cost will be passed on… to the consumer.
The good news in this is that a Board of Directors member of a large retailer is discussing the issue. But let’s ask the question: why (finally) now? We’ve been covering the issue of “customer data security” since 2005, and have continuously pushed the notion that PCI is just the tip of the iceberg – that ultimately the two issues of data security and privacy would merge into one corporate governance concern. In other words, this is not merely a technology issue, but a strategic one deserving BOD visibility.
“Why now” is the result of PCI compliance audits occurring at retail companies now that the PCI DSS standard is mandatory. As these audits have become part of the corporate compliance process, they have come to the attention of the audit sub-committees of Boards of Directors, and thus have finally gotten visibility. But this is obviously a reactionary response to an imminent threat (fines and surcharges). The bigger threat has been and remains two-fold: first, that the technology architecture is porous, and secondly that as a result sensitive data may be exposed.
And that is how the two issues of data security and consumer privacy have melded into one strategic challenge – it truly is about the retailers’ Brand. Just in time too; regardless of the current difficult economic times, consumers are increasingly engaging in cross-channel shopping to make smart purchases. At the same time, consumers are growing more concerned than ever that their information may not be safe. As evidence of that, PayPal released study results in March 2008 that revealed that “62 percent of purchasers feel more secure when they do not have to enter credit card information online, even at merchants' sites that they trust,” “One third of online shoppers want to avoid filling out name, address and credit card details,” and “one in eight consumers thinks about how he or she will pay even before deciding what to buy.”
In last November’s study entitled Customer Data Security: PCI and Beyond - Benchmark Study 2008, RSR stated: “Since customer data security ultimately is an issue that can affect the company’s brand and its ability to execute on its business strategy, making a discussion of the issue a regular agenda item for the Board of Directors is absolutely vital.” That appears to be exactly what is now happening in retail boardrooms. The customer is certainly making her feelings known on the issue- and that makes data security and privacy a vital attribute of every retailer’s Brand promise.
Editor’s Note: Watch for a new RSR study entitled Beyond Compliance: the Merging of Data Security & Privacy, which will launch in late October.
|
