Securing business and customer information is of utmost importance to all retailers. If addressed and implemented correctly keeping data secure can be simple and straightforward. If forgotten or overlooked, the unsecured data can be accessed by unwanted persons, leading to negative press, lawsuits for lack of compliance, and a very big headache.
DUTY TO PROTECT CUSTOMER INFORMATION
While it's security best practice and general common sense to protect customer information, industry standards and government regulations require retailers to protect customer information. Retailers must ensure data integrity and auditability for their online transactions, payment settlements, transaction processing and any sensitive data. This protection is performed by adopting encryption of sensitive data, both in transport across the Internet, and in storage - whether that storage be in the cloud or on a server, desktop or device within the companies private network.
Melby's Jewelers in Santa Maria, California is a good example of a diamond jewelry store that protects their customer information. Melby's uses Swim jewelry software, which encrypts all data both in transport and in storage and allows customers to opt out of email and marketing. And with Swim, they use the integrated payment gateway Open Edge Pay that is fully PCI compliant, protecting customers’ electronic payments.
WHAT INFORMATION SHOULD I BE PROTECTING AND HOW?
Payment Processing: The priority when looking at security for most businesses is security of payment processing. Retailers need to be PCI compliant when processing payments. PCI DSS stands for Payment Card Industry Data Security Standard. This compliance code requires the protection of sensitive payment account data — such as primary account number (PAN), magnetic stripe data, CVV, and PIN — by any company that processes, stores, and transmits such data.
The easiest way for a retailer to be PCI compliant is to use a payment processor for both in-store and online transactions. Open Edge Pay, Global Payments and Tyro are a few examples of PCI compliant payment processors. If you are using a point of sale system that uses integrated credit card processing you will also need to ask the system provider to ensure that the program is PCI compliant. Swim POS software for the jewelry industry, for instance is already PCI compliant.
Storing of Credit Card Information and Other Sensitive Data: In addition to the processing of payments, if your business stores the customer credit card number, social security number, driver’s license number or any other sensitive information, you will need to ensure that this information is encrypted. If you are using a point of sale or software solution to store this data, you can ask your provider whether the stored information is encrypted. Most cloud software solutions will already be encrypted and some desktop based solutions now offer encryption, so if you haven’t chosen a software system yet, make sure to look for this feature.
Beware of storing this sensitive type of information in a spreadsheet, database or document as it will not encyrpt the data and can leave your store open to non-compliance and security risk. Even if this data is stored on a PC or server within your own network, the data is at complete risk.
IS MY DATA SECURE? CLOUD SYSTEMS AND IN-HOUSE SYSTEMS
Too often, one assumes that by having data stored on their own PC or server, it means the data is safe. This is simply not the case. Un-encrypted data on any PC, server, backup device (such as portable hard drive or USB hard drive) or mobile device can be easily accessed by hackers. Wireless networks and the Internet allow hackers to enter into the system and easily extract this information.
Prior to much belief, cloud computing solutions are by and large more secure than in-house systems.
With cloud-based systems your data is automatically backed up, data transfer and storage is fully encrypted, and the firewall and security protection of the servers is actively maintained and monitored by high-level professionals. Many in-house systems and networks are set up by staff, owners or IT people who are not professionals in network security. What this means is there can be great vulnerability in the network setup, allowing for attacks and hackers.
Below are some important points highlighting the difference in security between desktop software and a cloud based solution*:
- Employees can copy a software file from your computer without a trace.
- If stolen, a computer, USB hard drive or portable hard drive with any business software data on it potentially creates a significant privacy, security, and recovery issue.
- A computer is vulnerable to viruses, trojans and other malicious attacks that read, obtain, or corrupt data on your computer. Wireless networks and wireless devices are especially vulnerable, as are desktop computers where security patches are not maintained.
- People often store credit card numbers in retail software files which is a major security issue if not encrypted and compliant.
Online (Cloud Based) Solution
- Employee access is monitored and logged, helping you monitor employee movement. Employees are only permitted to perform tasks or see information and data that you allow.
- Cloud solutions don't store your data on your local hard drive, so there is no risk if your computer is stolen. In addition, you are still able to continue functioning, with no data loss. All you need to do is sign in using another computer and you are up and running.
- Cloud solutions are accessed via a web browser, which reads data from the cloud servers. The SSL security encryption ensures the data between the web browser and server is also secure. Cloud server operating systems are kept up-to-date with security patches.
- Cloud systems can process card payments with a PCI compliant gateway. The entire transaction is encrypted, and no credit card information is stored on the local computer.
*For information on what a cloud-based point of sale is and how it differs from server or pc based point of sale systems, take a look at my first blog in this series.
As you can see, securing your data is not so much about where it is stored, but how it is stored. Whether you use a cloud based solution or PC based solution, you need to ensure the data is fully encrypted on servers which are kept up to date with security patches, maintains a strong firewall, uses SSL security for Internet and network data transfer and has user passwords, permissions and access logs. These are the basic steps for ensuring a secure system.
STEPS YOU CAN TAKE TO INCREASE YOUR SECURITY PROTECTION
Here are a few steps you can take today, to ensure your store's security:
- Check how payments are processed and ask your provider whether the solution you are using is PCI compliant and all devices (e.g. magnetic swipe cards, e-commerce site entries) are PCI compliant.
- Check what information you are storing about the customer. Do you store any credit card information, social security, drivers license information, birth dates. Next ask if you really need to store this information. If you don't, safely remove it from your system. If you do need the information, check with your software provider whether the database the information is stored in is encrypted and that all data is encrypted in data transit.
- Set up staff permissions and passwords to all systems that store business data and ensure access is fully logged. If your system does not provide for individual user tracking, strongly look at upgrading to a system that does.
- Create strong user passwords and don’t share your user password with anybody.
- Don’t write your password on a sticky note and attach it to your computer.
- When using cloud solutions, keep your browser software up to date.
- If you use a desktop solution, keep your operating system, firewall and virus protection software up to date.
- If you operate a wireless network, have a wireless network security professional check the firewall and ensure it has strong security and is kept up to date. Also ensure your wireless network is password protected with a very strong password.
- When employee's leave, remove all computer access immediately.
- If you backup data to a USB or portable hard drive, ensure the backup is encrypted and the device has password protection to access the contents of the drive. There are software programs that can encrypt data first, before backing up.
- If you use a cloud based backup service, check with the provider that the backup data is encrypted.
- If you upload reports or other business data to cloud based file storage such as Dropbox, only give access to the data to those that really need it and remove the data as soon as it is not needed to be shared.
Securing your data is of utmost importance, and while on the surface it seems complicated and difficult, by following a set of steps and working with solutions already available and compliant, your store can rest easy, knowing that your customers’ data is safe and protected.
About the Author
Raeleen Kaesehagen is the founder and CEO of Swim jewelry software, the leading web based retail management point of sale system for retail and manufacturing diamond jewelry stores worldwide.