Executives at Staples recently received an e-mail alerting them that consumer credit-card data had been compromised. Lucky for these associates, it was only a test. It is these kinds of drills that keep Staples’ data-security efforts sound.
While security tests are nothing new for retailers, they are taking on a new meaning as the industry tries to stay out of hackers’ line of fire. That said, retailers are placing more attention on planned and spontaneous tests to uphold internal data-security efforts and ensure systems are protected from possible data breaches.
Framingham, Mass.-based Staples uses customer information as a tool to upsell, target coupons and connect with its shoppers. “While we do not store consumer credit-card information in our retail systems, we are still committed to protecting it,” Christopher Dunning, Staples’ enterprise information security officer, said during NRFtech. The event, sponsored by the Washington, D.C.-based National Retail Federation, was recently held in Denver. Many companies actually changed their data-security mind-sets as they began preparing for PCI DSS (Payment Card Industry Data Security Standard), a standard established by the four major credit-card companies to protect cardholders against the misuse of their personal information. While PCI DSS clearly increased many companies’ awareness of the potential of data breaches, savvy retailers understood that the road toward data security didn’t stop with PCI. Staples was one of those companies.
“One challenge we struggled with while preparing for PCI compliance was the back and forth with banks on timetables for compliance, compensation and controls,” he explained during the session, “Retail Data Security—An Industry Reality Check on the Quest to Protect Consumer Information.”
“While we worked to become compliant, larger industry breaches began occurring. It became clear we needed to get our house in order, so to speak. The focus goes beyond PCI and into privacy,” Dunning said. “It was more than complying with PCI. It was about doing what was right for the organization.”
That’s why Staples makes a point of conducting real-world drills to keep all associates on their toes and ensure it is doing its best to protect data.
Efforts began approximately two years ago when the company encountered a hacker. After that, Staples has never looked back.
The chain began cleaning data and restructuring back-end systems. “We operate in an AS400 environment, so it was a priority to understand where and what needed to be cleaned out. Then we moved our efforts into our data-storage systems,” Dunning explained.
The retailer also realized it needed looser, unscheduled testing of applications. During the conference, Staples had two real-world drills under its belt. But attendees understood the importance of these tests when Dunning described a test just prior to NRFtech.
“We held a meeting with a group of company executives to discuss crisis training. With the assistance of our help desk, we faked a systems security breach,” he recalled. “An e-mail memo stated that our bank was notifying us that card data had been compromised. Half of the group was aware of the test, and the other half was not.”
The test elicited mixed reactions, but the strongest came from the company’s VP of human resources, who conducts the company’s training classes. “He admitted it was the best training they had ever experienced,” he said.
The point of the drill was to educate the group on the breadth and consequences—especially the costs involved—that come from not being prepared for a data breach. “The cost of a large security breach is huge,” he reported. “Just to notify all of Staples’ customers about a breach would cost $43 million in postage alone.”
During the show, Dunning reported that Staples was preparing for another real-world drill this fall.