Protecting Customers’ Data
While debate goes on about the use of technology to reduce the potential for credit card fraud, there are basic operational steps that retailers can take now to protect customer data and minimize risk. And the starting point should be to draw up a statement of standard operating procedures (SOP) for everyone in the organization.
“Make sure you have a clear written policy about how to handle credit cards,” said Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm. “And make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings.” A company’s SOP must address the critical need of keeping sensitive customer numbers under wraps.
“Where the merchant is most vulnerable is in the accidental mishandling of card information,” said Burnette. “Suppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper, and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice.”
Another good rule is to keep the credit card in the hands of the customer as long as possible.
“Employees should quickly process the card and return it,” Burnette said. “This will keep the card from being accidentally grabbed (or from having its number written down) by someone else.”
The right hardware can be as important as the right procedures. Has the company been using the same POS equipment for many years? It may be time to replace it.
“Some retailers still have legacy equipment that they don’t even realize is capturing cardholder information that can be compromised,” explained Paul Rianda, an attorney in Irvine, Calif. “In contrast, if merchants use newer equipment, and use it correctly, there should be no way to lose cardholder information.”
Computer systems face special challenges.
“You need to establish rules about passwords and about access to the computer system,” Burnette said. “Each employee should have a unique security code, which they are forbidden to share with other employees or even with managers. The passwords should allow access only to those sections of the database required to do an individual’s job.”
It is recommended to use only hardware and software that have been approved by the PCI Security Standards Council (approved vendor lists are available at pcisecuritystandards.org). A company should make sure it uses a fire-wall, and that its wireless router is password-protected and uses encryption. And change the default hardware passwords to complex ones.
“Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant,” he added.
Many of the protective steps suggested in this article derive from a broader maxim near and dear to the hearts of security people everywhere: Retain only the information you need.
“Follow the rule that says ‘if you do not need customer information you should not keep it,’” said Burnette.
Education is the first step to safety. Many smaller merchants are not aware of the duty to protect customer data, nor of the continually morphing rules. Ignorance of the law, as always, is no excuse. Taking the basic steps in this article will reduce your risk considerably.
Added Burnette: “Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant.”
Phil Perry is a New York-based business writer.
In the Chips
The data security breaches at Target and Neiman Marcus have put a white-hot fire under the push for the adoption of microchip-based credit-card technology to replace the traditional (and, many would say, backward) U.S. standard of magnetic strip cards. (The latter store unencrypted customer data on magnetic stripes.) Advocates of the chip cards, which store encrypted customer data on embedded microchips, say their use minimize the risk of data breaches at the POS.
But how exactly do chip-enabled cards work, and how much additional protection do they really offer?
Cards that store customer data in an embedded microchip as opposed to a magnetic stripe follow a standard called Europay, MasterCard and Visa (EMV), which is used by every developed nation except the United States. The POS terminal typically reads the chip via Bluetooth or Wi-Fi connection, significantly reducing the chance of hackers intercepting the data and also making “cloning” cards with phony duplicates all but impossible.
The customer can then have their identity further verified by entering a PIN or a signature. Exactly what type of authentication should be used beyond the microchip, which does not itself prevent the use of a stolen or lost card, is the subject of debate. The National Retail Federation (NRF) and Target Corp. both recently came out in support of what is known as “chip and PIN” authentication.
Going the Extra Mile
“The chip validates that it’s the real card,” said Tom Litchford, VP retail technologies NRF, in a February 2014 press conference. “The PIN provides two levels of validation.” And in a February 2014 column published on the Chain Store Age website, John Mulligan, executive VP and CFO of Target Corp., expressed support for U.S. retailers to adopt chip and PIN. Target ran a three-year pilot of chip-based cards from 2001-2004.
“Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place,” said Mulligan. “Our goal: Implement this technology in our stores and on our proprietary REDcards by early 2015, more than six months ahead of our previous plan.”
Cost has been a major factor preventing widespread U.S. adoption of chip-enabled cards. The NRF estimates that switching to either form of chip-based card verification would cost $20 billion to $30 billion in software, hardware and card upgrades during a period of several years. The NRF wants banks, acquirers, card issuers and other payment card partners to share costs associated with chip and PIN migration.
Currently, card issuers are primarily responsible for covering fraudulent losses. However, as of October 2015, fraud occurring at U.S. retailers with chip-enabled cards will be the responsibility of the retailer if they cannot process a chip-based payment, which some analysts think will jump-start adoption. Many major U.S. card providers currently or plan to offer chip-enabled cards.
Not a Panacea
Even experts who support adoption of chip and PIN caution it is not a cure-all to prevent the theft of customer payment data. Paula Rosenblum, managing partner at RSR Research, said that hackers in the recent Target data breach used a “phishing” email to take over a computer at one of Target’s HVAC vendors and from there penetrated Target’s network using phony vendor credentials. This let them install malware and steal customer data while bypassing the POS.
“My own point of view is that no fixed standard can give you 100% security in an ever-changing world,” said Rosenblum. She added that chip and PIN is still highly useful, especially if combined with point-to-point data encryption.
By most accounts, 2013 was a banner year for IPOs. According to Renaissance Capital, a total of 222 companies went public in 2013, marking the best year for the IPO market since 2000. As we predicted in a previous article in Chain Store Age, the retail and consumer products industry played a key role in this IPO activity, accounting for 19 offerings and $8.3 billion in proceeds. This marked a notable increase from the number of offerings seen in 2012 (15) and 2011 (12), according to Renaissance Capital.
Moreover, performance was strong. Renaissance Capital reports that the average return overall was 41%, with the retail and consumer products industry posting a strong showing. In fact, according to the Motley Fool, four retail chains doubled their IPO price this year: The Container Store, Potbelly, Noodles & Co. and Sprouts.
Our 2014 IPO Outlook Survey recently polled 100 capital markets executives on their expectations for the IPO market in 2014 and found that investment bankers are projecting continued growth on U.S. exchanges. Nearly two-thirds (63%) predict an increase in U.S. IPOs in the coming year, and on average, investment bankers predict a 9% increase in the number of IPOs in 2014.
Capital markets executives are most bullish for increased activity in the technology, energy, biotech and healthcare sectors, with most investment bankers (52%) expecting retail and consumer products IPO activity to be flat, and just 22% forecasting an increase. While the number of retail IPOs may not be headed for large increases, it’s important to remember that these projections come on top of a record year for offerings in the industry. Moreover, there are reasons for investors to have continued optimism in the industry.
Positive performance in 2013 will likely be encouraging to retailers who are considering IPOs in 2014, and ongoing low interest rates will help with investor demand. On the consumer spending front, the NRF reports that holiday sales met expectations and increased 3.8% over 2013. However, many retailers depended on deeper and longer discounts that harmed margins and are causing some to trim their holiday quarter profit expectations.
Given these results, the holiday season is unlikely to have a major impact on the IPO environment this year. Still, we know consumers have been spending on big-ticket items like homes and cars, and renewed confidence bodes well for spending across the board as we enter 2014.
As the economy continues to slowly improve, private equity firms are seeing better opportunities to finally turn over their retail investments. A plurality of bankers in our survey (43%) identified private equity portfolios as the biggest source of offerings this year, and we expect private equity will be a significant backer of IPOs in the retail industry this year.
The U.K. market also appears ripe for PE-backed IPOs, with Poundland and other consumer brands looking to raise funds. Additionally, the retail industry could see an uptick in foreign-based IPOs on U.S. exchanges this year. A majority of capital market executives (58%) predict that the number of U.S. IPOs from China-based businesses will increase in 2014 due to the perception that Chinese regulators and companies are more willing to meet U.S. governance standards and accounting regulations.
Potential Concerns for Investors
When analyzing retailers, potential investors will be looking for factors that show signs of stability. Retailers pursuing an IPO should have a strong management team in place and be able to show a solid track record of sales and growth. But even with this in place, there are a number of external factors that could weigh on investors’ minds. When asked what presents the greatest threat to the IPO market overall this year, investment bankers point to the Federal Reserve paring back its monetary stimulus, as well as global political and financial instability and the threat of tax increases.
Within the retail industry, there are other hurdles to consider. As retailers continue to embrace the omnichannel movement, expanded presence on digital platforms and an influx of consumer data has made the industry more vulnerable to security breaches than ever. Recent attacks on Target’s and Neiman Marcus’ data systems have stirred consumer confidence and raised questions about the industry’s ability to adequately protect not only credit card information, but other personal information like passwords, addresses and shopping preferences.
In the short-term, identifying the source of these attacks is key, and longer term, retailers considering an IPO will need to address these risks and demonstrate to potential investors that they have taken steps to secure their systems and protect against hackers. Despite a few headwinds, we expect the retail industry will continue a steady growth in 2014. The sector has shown a great deal of resilience over the past few years, and the increase of IPO activity is one more positive indicator of overall industry health.
Ted Vaughan is a partner in the retail and consumer products practice at BDO USA, LLP. He can be reached at [email protected].