Q&A: How retailers can protect the path to retail success
June 01, 2020
Retailers are gathering more data than ever before. Protecting customer data is no longer just the domain of data experts. In an age when major data breaches, payment fraud and identity theft are commonplace, protecting customer data is nothing less than mission critical for retailers.
We sat down with Brant Peterson, Director, Head of Security & Risk Products at Worldpay from FIS to discuss steps retailers need to take to protect customer data—and their reputation.
Worldpay: What’s most exciting to merchants about these new dimensions and uses of data?
Brant Peterson: There’s so much data out there. What’s exciting is that retailers can now make meaningful connections between seemingly isolated data. Data from fitness apps, eCommerce transactions, location-based data, or payments data might provide some value in isolation. Today these seemingly unrelated data points are being synthesized to create highly relevant, personalized, and engaging consumer experiences.
In the realm of payments, linking those connections through the context of a consumer device. You’re seeing a lot of new consumer hardware designed for home automation that provides simple, compelling experiences, like reordering goods within the context of your own home.
Data is making it easier, faster, and simpler to do that. Data is making those connections between things that seemingly have nothing have anything to do with payments and now linking in payments or linking buyer and consumer behavior.
Worldpay: What types of data are being collected about customers today?
Brant Peterson: We’re seeing a lot of data and analytics about shopping carts, purchase histories, so you’re offered coupons and incentives to keep the customer engaged, even if they may have abandoned their cart or come back for a later time to insure they’re linking the customer to the intended purchase. The other thing we’re seeing more is more personal data coming from fitness apps that track workout behavior, collecting metrics on performance and location.
Worldpay: Are there any best practices for using data to enhance customer experiences, while not making customers feel “watched” or crossing into privacy considerations?
Brant Peterson: There’s real security and then there’s perceived security. It doesn’t matter if merchants are comparably more or less secure—if there’s even a perceived security issue, customers will drop. Customers will abandon their cart and they will leave if they feel like they’re not safe, if they feel like it’s not a secure experience.
Worldpay: What impact is that data collection having on customer experience?
Brant Peterson: Retailers are looking to create customer experiences that delight shoppers and keep them coming back for more. A lot of data collection today is geared toward providing real-time rewards that are integrated into shoppers’ online account or mobile app. For example, customer data drives chat bots or customer service clients that help navigate a customer through an eCommerce checkout.
Properly curated data helps merchants provide much richer customer experiences, tailored for that consumer. The more data, the better the consumer experience.
Worldpay: How important is it for merchants to use and protect data responsibly?
Brant Peterson: Brand reputation and credibility is everything for merchants. That makes the responsible protection of customer data mission critical. Retailers are trying to provide a positive, rich experience, but they put their reputation at risk when they don’t adequately protect data. When organizations suffer data breaches or incidents, customers walk away.
The role of third parties in data protection is also critical. Merchants tend to rely on third-party service providers rather than collecting data themselves. We’re seeing attackers increasingly taking advantage of trust between data service providers and merchants.
We generally think “I’m going to outsource all the data to a third party and they’re a software developer and they provide updates and patches and they’re good. I don’t expect anything to be wrong with them.” The attackers know this. They can go a service provider that has access to hundreds if not thousands of organizations. My ROI as an attacker is far greater going after third parties than individual organizations.
Threat groups know this, and they seek to split the trust between merchants third parties. Not only do merchants need to protect their own data in their environment, but if they transfer data or provide to third parties, they must do so in a way that’s responsible and mitigates a risk to their customers, as well as their own brand.
Worldpay: Could you relate any examples of third-party issues specific to merchants?
Brant Peterson: The biggest one now in eCommerce involves a third-party attack that injects malicious code all over merchant checkout pages. They can exploit weaknesses in customer service clients as a chatbot client.
Because the merchant trusts the chatbot client, the client is infected and malicious code comes to the checkout page and captures cardholder data and personal information before it enters a secure payment page. They’ve exploited trust between the merchant and the third-party service provider.
Worldpay: What should a retailer do to protect their customer data?
Brant Peterson: Processing and storing cardholder data involves risk. The good news is that more merchants are deploying point-to-point encryption. Point-to-point encryption removes cardholder data from an organization’s retail environment prior to an authorization attempt, helping to reduce incidents at the point of sale.
Risk emerges from the potential of data theft, fraudulent transactions, phishing attacks, and many other opportunities for fraudsters to exploit human vulnerabilities. Even if you implement defenses for all those threats, do you have alerting and detection to help you identify when there’s a problem? What about an incident response plan? Are you prepared to act? Do you have a recovery plan?
Merchants need to deploy multiple layers of technology to mitigate distinct risk factors. You have a house key to unlock your door, but you also have an alarm, and a smoke detector. Those are different tools designed for different threats to your house. Whether a homeowner or a retailer, you need to know how to assess and mitigate risk.
Worldpay: Can you talk about data and security in relation to some of the newer ways that payments are being processed?
Brant Peterson: Merchants accept cardholder data in-store, online and via mobile apps. Retailers collect and store cardholder data for analytics, customer identifiers, for omnichannel purposes like buying online and returning in store without having to rerun a customer’s credit card.
When merchants are storing cardholder data—even for legitimate business reasons—it’s easier for attackers to infiltrate and evade detection. Data protection like tokenization is critical. Data protection methods help protect data, even if an attacker does get into their environment. Tokenization renders data meaningless to fraudsters.
Cloud has a lot of benefits, but just because data is in the cloud doesn’t mean it’s secure. Attackers are going to follow data into the cloud. Attackers can still attack. They can go after access accounts and exploit credentials.
Worldpay: What technologies and best practices are elevating protection for merchants and their customers today?
I would highly recommend as critical path to use encryption for all retail transactions, it has been proven to reduce an attack. We recommend PCI-enlisted or PCI-validated listed solutions. Absolutely use tokenization if you’re storing cardholder data.
Worldpay: What should retailers expect when it comes to AI assisting in security?
Brant Peterson: The market’s moving that way for fraud detection and fraud rules. Fraud detection uses rules and configurations that need to be modified over time. It’s a manual process that requires real resources to assess risk. AI really makes a lot of that learning and preservation of data and incidents of compromise easier—easier to identify, understand, and respond faster.
AI is about learning—intelligence, learning, interpretation. The more we implement AI, the better learning, faster learning with each iteration. It’s going to be able to connect the dots where some of the human interaction wouldn’t be able to.
Worldpay: Looking to the future, is there anything else that organizations should be thinking about in terms of protecting themselves from this data vulnerability?
Brant Peterson: All industries should be on high alert. Regardless of what vertical you’re in, it doesn’t matter if you’re a small merchant, midmarket versus nation. If anything, we see more attacks at the SMB level and now that’s started to bleed, as we see more service providers that have multiple market segmentation that they go after.
Everything seems to be becoming more connected. We’re constantly growing and it’s likely that we’ll start to see attacks exploiting new vulnerabilities. We’ve seen the sophistication of botnet attacks and we can expect to see that on smart devices as well.
Choosing a service provider is critical, whether it be payment service provider, ISP, POS software, loyalty, et cetera. Make sure they’re PCI compliant, that they’re protecting your data, and that they’re meeting best practices for data collection and storage. As we get more connected, it may not be you, but it could be actions by the third parties you contract with that can result in data compromise.
Worldpay: What can merchants do to make sure those third parties are continually updating and monitoring and bringing technology up to best practices?
Brant Peterson: Managing third party risk is the biggest problem for a lot of organizations. Merchants may experience a moment in time when they become PCI compliant, but they don’t maintain their program or maintain that relationship with third parties.
Merchants must stay diligent on an annualized basis. Building a responsibility matrix is essential: here’s the things you’re responsible for as the merchant, here is where your third party is responsible. You need a working agreement or legal language in terms of making sure that you’re meeting and adhering those, but you must stay diligent. That often means full-time people dedicated to managing third party risk.
To learn about protecting customer data, download our free report.