Compliance: Is It All About Supply and Demand?

In the retail business, it may all be about supply and demand, but when it comes to security and compliance, the supplier’s security challenges become the retailer’s problem as organizations partner electronically. The task becomes increasingly complex as retailers seek ways to enable more partners and more types of electronic transactions (e.g., purchase orders, ship notices and invoices), in addition to trying to protect more types of consumer information collected from more types of devices.

Much of this is due to the rise of multichannel retailing, which enables merchants to expand their product offerings by using multiple sales channels. This, in turn, generally stimulates relationships with more suppliers. Clearly, the more options customers have to purchase from a retailer increases opportunities for revenue.

Today, the most progressive retailers sell through a combination of brick-and-mortar stores, online stores, in-store kiosks, in-bound telephone order centers supporting television, radio, direct-mail and catalog advertising, and soon, cell phones. All of these points of sale require customers to enter or provide credit-card information and other personally identifiable information (PII). In addition, many retailers have loyalty programs in place to collect and store PII information about individuals as well as their buying patterns and preferences, which is often shared with third parties.

Under the multichannel model, most retailers provide for drop shipping between the supplier and customer for items that are not carried in the store or stocked in the retailer’s warehouse. This requires merchants and suppliers to exchange more than purchase orders and invoices, but also to share customer information—such as name, address and phone numbers—to fulfill an order that is shipped directly from the supplier to the customer.

Other stores employ in-store kiosks that allow customers to order un-stocked merchandise. In some cases, the items are only available from the kiosk or the company’s online store. In other cases, the items are stocked at another store and can be shipped direct to the customer or to the local store for pickup. In every case, the consumer information that is collected at the kiosk and electronically transmitted to fulfill the order must be guarded.

Another recent trend to build customer loyalty is store branded credit cards. These cards are generally offered at checkout with instant approval. Once the customer fills out the application, the information is immediately entered into the retailer’s computer and transmitted to the financial institution for approval. This is yet another important example of where customer information must be protected on the store computer and as it’s being transmitted to the financial institution.

While there are no laws requiring retailers to encrypt consumer information—unless there is some other sensitive information included with it, such as a bank-account number, Social Security number or driver’s license number, for example, as mandated by State Breach Notification Laws—responsible merchants protect their consumers even without laws. Ask a consumer, and most will say they would prefer that even their names, addresses and phone numbers be secure.

The bottom line is that to fully exploit the potential that multichannel retailing presents, retailers must establish secure electronic relationships to protect customer credit card, PII and loyalty information with potentially thousands of business partners beyond what is required by industry and governmental security regulations and laws. To achieve this, the connections should be protected using secure FTP or electronic data exchange (EDI) through a network or one of the EDI-INT protocols (AS1, AS2, AS3). Moreover, data must be secured at rest, wherever it resides in retailer and supplier organizations.

These four steps can help retailers secure confidential consumer information entrusted to them:

• Review what consumer information is shared with business partners. (e.g., payment-card numbers, personally identifiable information, loyalty data)

• Examine all relationships with business partners to ensure all electronic communication connections are secure. As a reminder, clear text FTP protocols are not secure.

• Consider installing a B2B gateway, a single point that handles all communication between the retailer and its business partners. B2B gateways provide retailers with unprecedented visibility and control over the information that flows in and out of the company and dramatically minimizes security risks.

• In addition to securing data at rest and in motion between points of sale and with suppliers, go the extra mile and lock down sensitive customer information as it flows within your organization.

With ever more relationships being established between retailers and suppliers to satisfy supply and demand, and increasing amounts of various types of sensitive data being shared electronically, responsible merchants are taking every opportunity to protect the sensitive consumer information entrusted to them—a practice that is of immeasurable value in building customer trust and loyalty.

Gary Palgon is VP of product management for nuBridges, Inc., the secure eBusiness authority, and a frequent contributor to industry publications and a speaker at conferences on eBusiness security issues and solutions. He can be reached at gpalgon@nubridges.com. To learn more about nuBridges, please visit www.nubridges.com.