Bringing it all Back Home
The days of independent silos, of when the Web, phone, catalog and store could be operated separately each with its own unique customer experiences and fulfillment processes, are behind us. Today’s “always connected” consumers demand a seamless experience from the retailers they shop, regardless of channel. And that seamless experience requires extensive alignment of systems on the back end as well as the front end.
Weehawken, N.J.-based Hanover Direct is a multichannel, multibrand retailer, which operates catalog, phone and e-commerce channels, along with five physical stores, under several banners: Company Store, Company Kids, Scandia Home and Undergear. Currently, Hanover is in the process of revamping back-end systems and processes to allow its customers as seamless an experience as possible, regardless of how they choose to engage with the retailer.
“When you think of separate sales channels, you fight on growing each point of interaction separately,” explained Jeffrey Rosenholtz, CIO of Hanover Direct. “When you look at the company as a whole, you grow each point of interaction holistically. You get one view of the customer and all the channels work in tandem.”
With this philosophy in mind, Hanover Direct realized that its previously existing homegrown back-end infrastructure, supported by a 17-year-old enterprise mainframe as well as a variety of disparate on-premise legacy software solutions, was not suitable for providing a modern, seamless customer experience. As a result, in August 2012, after a six-to-seven-month implementation, Hanover Direct launched NetSuite OneWorld to support customer-facing activities on a common Demandware front end that served as a platform for catalog, call center and e-commerce channels.
Real-time Order Management
According to Rosenholtz, one big advantage the NetSuite implementation offers is the replacement of a daily batch-processing order management cycle to a real-time cycle, which leads to enhanced promotional effectiveness. “We can put a promotion on the Web and see how it’s doing,” Rosenholtz said. “We can track source codes. If the promotion isn’t doing well, we can tweak it in real time and see if the changes are working.”
Masters of Store
Rosenholtz said Hanover Direct plans to implement a POS system from NetSuite in its stores so that the store becomes part of the larger seamless customer experience.
“Once stores are online, our goal is to be able to shift inventory from store to store to meet demand,” Rosenholtz added. “We want one combined experience so that when you swipe a credit card in the store, we can make a targeted offer based on what you’ve bought online.”
In addition to improving customer service, promotions and order management, the NetSuite implementation has allowed Hanover Direct to streamline its IT operation. By shifting enterprise operations to the cloud-based NetSuite platform, the retailer has been able to reduce IT resources, as well as scale back hardware from 46 to 25 servers and eliminating the cost of maintaining and operating the facility.
“We need to serve the modern customer who shops by tablet, smartphone and Web,” Rosenholtz said. “We couldn’t do that with 1990s technology, but we can do that now.”
Protecting Customers’ Data
While debate goes on about the use of technology to reduce the potential for credit card fraud, there are basic operational steps that retailers can take now to protect customer data and minimize risk. And the starting point should be to draw up a statement of standard operating procedures (SOP) for everyone in the organization.
“Make sure you have a clear written policy about how to handle credit cards,” said Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm. “And make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings.” A company’s SOP must address the critical need of keeping sensitive customer numbers under wraps.
“Where the merchant is most vulnerable is in the accidental mishandling of card information,” said Burnette. “Suppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper, and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice.”
Another good rule is to keep the credit card in the hands of the customer as long as possible.
“Employees should quickly process the card and return it,” Burnette said. “This will keep the card from being accidentally grabbed (or from having its number written down) by someone else.”
The right hardware can be as important as the right procedures. Has the company been using the same POS equipment for many years? It may be time to replace it.
“Some retailers still have legacy equipment that they don’t even realize is capturing cardholder information that can be compromised,” explained Paul Rianda, an attorney in Irvine, Calif. “In contrast, if merchants use newer equipment, and use it correctly, there should be no way to lose cardholder information.”
Computer systems face special challenges.
“You need to establish rules about passwords and about access to the computer system,” Burnette said. “Each employee should have a unique security code, which they are forbidden to share with other employees or even with managers. The passwords should allow access only to those sections of the database required to do an individual’s job.”
It is recommended to use only hardware and software that have been approved by the PCI Security Standards Council (approved vendor lists are available at pcisecuritystandards.org). A company should make sure it uses a fire-wall, and that its wireless router is password-protected and uses encryption. And change the default hardware passwords to complex ones.
“Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant,” he added.
Many of the protective steps suggested in this article derive from a broader maxim near and dear to the hearts of security people everywhere: Retain only the information you need.
“Follow the rule that says ‘if you do not need customer information you should not keep it,’” said Burnette.
Education is the first step to safety. Many smaller merchants are not aware of the duty to protect customer data, nor of the continually morphing rules. Ignorance of the law, as always, is no excuse. Taking the basic steps in this article will reduce your risk considerably.
Added Burnette: “Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant.”
Phil Perry is a New York-based business writer.
In the Chips
The data security breaches at Target and Neiman Marcus have put a white-hot fire under the push for the adoption of microchip-based credit-card technology to replace the traditional (and, many would say, backward) U.S. standard of magnetic strip cards. (The latter store unencrypted customer data on magnetic stripes.) Advocates of the chip cards, which store encrypted customer data on embedded microchips, say their use minimize the risk of data breaches at the POS.
But how exactly do chip-enabled cards work, and how much additional protection do they really offer?
Cards that store customer data in an embedded microchip as opposed to a magnetic stripe follow a standard called Europay, MasterCard and Visa (EMV), which is used by every developed nation except the United States. The POS terminal typically reads the chip via Bluetooth or Wi-Fi connection, significantly reducing the chance of hackers intercepting the data and also making “cloning” cards with phony duplicates all but impossible.
The customer can then have their identity further verified by entering a PIN or a signature. Exactly what type of authentication should be used beyond the microchip, which does not itself prevent the use of a stolen or lost card, is the subject of debate. The National Retail Federation (NRF) and Target Corp. both recently came out in support of what is known as “chip and PIN” authentication.
Going the Extra Mile
“The chip validates that it’s the real card,” said Tom Litchford, VP retail technologies NRF, in a February 2014 press conference. “The PIN provides two levels of validation.” And in a February 2014 column published on the Chain Store Age website, John Mulligan, executive VP and CFO of Target Corp., expressed support for U.S. retailers to adopt chip and PIN. Target ran a three-year pilot of chip-based cards from 2001-2004.
“Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place,” said Mulligan. “Our goal: Implement this technology in our stores and on our proprietary REDcards by early 2015, more than six months ahead of our previous plan.”
Cost has been a major factor preventing widespread U.S. adoption of chip-enabled cards. The NRF estimates that switching to either form of chip-based card verification would cost $20 billion to $30 billion in software, hardware and card upgrades during a period of several years. The NRF wants banks, acquirers, card issuers and other payment card partners to share costs associated with chip and PIN migration.
Currently, card issuers are primarily responsible for covering fraudulent losses. However, as of October 2015, fraud occurring at U.S. retailers with chip-enabled cards will be the responsibility of the retailer if they cannot process a chip-based payment, which some analysts think will jump-start adoption. Many major U.S. card providers currently or plan to offer chip-enabled cards.
Not a Panacea
Even experts who support adoption of chip and PIN caution it is not a cure-all to prevent the theft of customer payment data. Paula Rosenblum, managing partner at RSR Research, said that hackers in the recent Target data breach used a “phishing” email to take over a computer at one of Target’s HVAC vendors and from there penetrated Target’s network using phony vendor credentials. This let them install malware and steal customer data while bypassing the POS.
“My own point of view is that no fixed standard can give you 100% security in an ever-changing world,” said Rosenblum. She added that chip and PIN is still highly useful, especially if combined with point-to-point data encryption.