Midsize retailers: Keep calm with these security tips
By Fawn Fitter
High numbers of transactions, large volumes of money and merchandise changing hands regularly, and frequent employee turnover make retailers a prime target for theft and fraud. The more employees, suppliers, and customers you interact with each day, the greater the odds that one of them will be tempted. Here are some security tips so that retailers can avoid spending all their time worrying about their vulnerabilities.
In Summary:
| • | Securing customers' financial and personal data is every bit as important to your business as providing quality products. |
| • | Security technology protects your storefront and stock as well as your databases. |
The retail industry indeed faces unique security challenges, ranging from protecting credit card data from hackers to protecting inventory from shoplifters.
For example, wireless networking, point-of-sale (POS) devices, and other digital technologies can make your company more productive and profitable, but they also provide new opportunities for thieves to break into a real or virtual storefront. A hacker who accesses your credit card server or shuts down your Web site, even briefly, can destroy both your profit margins and your reputation.
Fortunately, safeguarding your data doesn't require the resources of a Marks & Spencer department store chain or an Amazon.com. Plenty of security initiatives fit neatly into a midsize retailer's budget. Here's what you should be thinking about as you stock your shelves and train your employees.
1. Protect your credit card data
Consumers are more concerned than ever about identity theft and credit card fraud, and rightly so: Federal Trade Commission officials estimate there were 10 million U.S. victims of identity theft between early 2002 and early 2003. This resulted in a total estimated cost of US $53 billion to U.S. businesses and individuals, according to the Cutter Consortium, an international IT research and advisory firm based outside of Boston. In June 2005, the major credit card companies addressed this issue by establishing a global technical data security standard, known as the Payment Card Industry (PCI) standard.
Under the PCI standard, merchants and payment processors that accept cards from Visa, MasterCard, American Express, Diners Club, and JCB International must meet rigorous benchmarks for securing networks and protecting cardholder data. A merchant that compromises customer information by failing to comply faces hefty fines and may even lose the right to take credit cards entirely.
Currently, only businesses handling more than 6 million credit card transactions a year must meet the PCI standard's requirements for regular security audits. Although most midsize retailers do not reach this threshold, you still need to keep credit card numbers out of the wrong hands. Here are five ways to achieve this goal:
| • | Hackers probing for network vulnerabilities will try the most obvious points of entry first ---so change the default settings on all network equipment, from POS terminals to servers, to ensure encryption and other secure settings are enabled. |
| • | Control access to credit card data. Beyond password protection, this might involve steps such as setting up a secure virtual local-area network (LAN) exclusively for the relevant applications, or requiring employees to swipe a "smart card" to confirm their identity before they can log in to the database. |
| • | Encrypt credit card and customer data, both in transmission and in storage. |
| • | Monitor and log all credit card transactions to associate specific employees with the transactions they perform. |
| • | Consider simply deleting card data after each transaction is complete. |
Look for obvious holes in security, too. Believe it or not, some smaller retailers are still using point-of-sale systems that generate receipts bearing the customer's full card number. Upgrade to solutions that mask card numbers at every stage of the purchase.
2. Safeguard your e-commerce transactions
An online sales channel is only as effective as it is secure. If customers worry that doing business with you electronically will expose them to credit fraud, identity theft, and privacy violations, they will spend their money elsewhere. These six steps can be reassuring:
| • | Safeguard your servers and computers with Microsoft Forefront, an integrated family of security tools that filter out viruses and spam, block unauthorized users from your network, and allow employees to access only the data and applications they need to do their jobs. |
| • | Physical security is also critical; you should store servers away from windows to avoid easy theft. Consider housing computer equipment in a separate room with a lock. |
| • | Protect your databases from hackers with the advanced security features in Microsoft SQL Server 2005. For instance, SQL Server 2005 encrypts by default all client/server communications, and, enables database encryption; meanwhile, authentication features make it difficult for people to access the database with weak or old passwords. As well, the software's granular permissions means that database administrators can more closely control what authorized users can do -- which means that employees with access have sufficient rights to do their tasks, but nothing further. |
| • | Store e-commerce data on a server in your offices, not a laptop or flash drive that can be stolen or misplaced. |
| • | Ensure that your e-commerce applications employ appropriate security. For instance, Microsoft Commerce Server 2007 security features include Secure Sockets Layer support (the standard protocol for Internet security) and data encryption for improved protection of passwords, credit card numbers, and any other sensitive data. Commerce Server 2007 also includes a Security Configuration Wizard to walk you through the steps. |
| • | As your online presence grows, choose a Web host with a spotless reputation for security, and developers who will ensure every new feature on your site is secure as well as functional. This may require additional training for developers, and/or an audit by a security consultant to ensure you have the proper data and application protections in place. Your e-commerce hosting company should be able to provide training and expertise on this topic -- and contractual assurances for security. Consider instituting secure application development procedures in your organization. |
3. Keep your marketing data secure
Your customer relationships are a gold mine, and only a select few employees should be allowed to dig in your customer data. Here are a few tips:
| • | To access your customer relationship management (CRM) system, require that employees enter two passwords: the first for your corporate network, and the second to access the application. This process will protect the application itself and the data within it. (The same process should, of course, apply to all of your business applications housing sensitive data) |
| • | Set up secure virtual private networks (VPNs) for your mobile sales staff so they can transmit customer information over the Internet without exposing it to prying eyes. For this, you'll need to ensure your VPN has firewalls to provide a barrier between the public Internet and your private network, and employs encryption and authentication technologies. (Microsoft supports VPNs through Windows Server 2003 and its firewall product, ISA Server 2006.) |
| • | Upgrade employee laptops to Windows Vista and enable the BitLocker Drive Encryption data protection feature, which encrypts and password-protects an entire hard drive and prevents decryption if someone has tampered with the drive. |
| • | Consider adding a solution such as PC Data Defense from Iron Mountain, which automatically destroys sensitive data if it detects suspicious activity such as repeated errors entering passwords. |
4. Put controls on your inventory
Knowing what you have in stock boosts your profit margin, both by enhancing customer service and by minimizing losses. These steps can help improve inventory management and spot both internal and external thieves:
| • | Integrate financial and supply chain solutions to capture individual transactions, compare them to expected inventory levels, and make sure your products are not leaving the store faster than your employees are selling them. |
| • | Monitor the activities of employees and shoppers with Internet protocol-based security cameras that stream video over the network to authorized employees. Wireless networking makes it easy to install a camera almost anywhere in a store, from back corners to break rooms --- and videos archived on a hard drive or server need far less storage space than a stack of VHS tapes. |
| • | If RFID (radio frequency identification) technology helps you track when stock is running low or items are misplaced, use it as a security tool as well. Install a tag reader at your door to trigger an alarm if an item leaves the store before an employee removes or disables its RFID tag at the point of sale. Obtaining RFID expertise is available through large multinational IT consulting firms, as well as smaller, regional consultants and RFID technology vendors. Given the fact that RFID is still in early stages of adoption, evaluate outsourcers carefully and hire an expert with real-world experience implementing and troubleshooting RFID projects. |
Next steps
Working with either your IT staff or a security consultant, pinpoint your most urgent needs and develop a plan to address them. Improved security bolsters customer confidence and avoids costly problems such as:
| • | lost revenues from theft; |
| • | lost or compromised data; |
| • | business interruptions caused by network downtime, and |
| • | the potential legal consequences of a security breach. |
Although you may not have the budget to truly safeguard your entire business, even simple steps such as requiring employees to change their passwords regularly and encrypting critical databases can make a huge difference to customer confidence --- and to your profitability.
Fawn Fitter is a freelance writer in San Francisco, California, specializing in business and technology. She has written for publications including Fortune Small Business, Knowledge Management, and Computerworld.
