Putting Data Security To the Test
Executives at Staples recently received an e-mail alerting them that consumer credit-card data had been compromised. Lucky for these associates, it was only a test. It is these kinds of drills that keep Staples’ data-security efforts sound.
While security tests are nothing new for retailers, they are taking on a new meaning as the industry tries to stay out of hackers’ line of fire. That said, retailers are placing more attention on planned and spontaneous tests to uphold internal data-security efforts and ensure systems are protected from possible data breaches.
Framingham, Mass.-based Staples uses customer information as a tool to upsell, target coupons and connect with its shoppers. “While we do not store consumer credit-card information in our retail systems, we are still committed to protecting it,” Christopher Dunning, Staples’ enterprise information security officer, said during NRFtech. The event, sponsored by the Washington, D.C.-based National Retail Federation, was recently held in Denver. Many companies actually changed their data-security mind-sets as they began preparing for PCI DSS (Payment Card Industry Data Security Standard), a standard established by the four major credit-card companies to protect cardholders against the misuse of their personal information. While PCI DSS clearly increased many companies’ awareness of the potential of data breaches, savvy retailers understood that the road toward data security didn’t stop with PCI. Staples was one of those companies.
“One challenge we struggled with while preparing for PCI compliance was the back and forth with banks on timetables for compliance, compensation and controls,” he explained during the session, “Retail Data Security—An Industry Reality Check on the Quest to Protect Consumer Information.”
“While we worked to become compliant, larger industry breaches began occurring. It became clear we needed to get our house in order, so to speak. The focus goes beyond PCI and into privacy,” Dunning said. “It was more than complying with PCI. It was about doing what was right for the organization.”
That’s why Staples makes a point of conducting real-world drills to keep all associates on their toes and ensure it is doing its best to protect data.
Efforts began approximately two years ago when the company encountered a hacker. After that, Staples has never looked back.
The chain began cleaning data and restructuring back-end systems. “We operate in an AS400 environment, so it was a priority to understand where and what needed to be cleaned out. Then we moved our efforts into our data-storage systems,” Dunning explained.
The retailer also realized it needed looser, unscheduled testing of applications. During the conference, Staples had two real-world drills under its belt. But attendees understood the importance of these tests when Dunning described a test just prior to NRFtech.
“We held a meeting with a group of company executives to discuss crisis training. With the assistance of our help desk, we faked a systems security breach,” he recalled. “An e-mail memo stated that our bank was notifying us that card data had been compromised. Half of the group was aware of the test, and the other half was not.”
The test elicited mixed reactions, but the strongest came from the company’s VP of human resources, who conducts the company’s training classes. “He admitted it was the best training they had ever experienced,” he said.
The point of the drill was to educate the group on the breadth and consequences—especially the costs involved—that come from not being prepared for a data breach. “The cost of a large security breach is huge,” he reported. “Just to notify all of Staples’ customers about a breach would cost $43 million in postage alone.”
During the show, Dunning reported that Staples was preparing for another real-world drill this fall.
Dillard’s 3Q loss widens
LITTLE ROCK, Ark. Dillard’s reported a third quarter net loss of $56 million, or 76 cents per share, compared to a net loss of $11.3 million, or 15 cents per share, for the same period last year.
Dillard’s ceo, William Dillard, II, stated, “The oppressive economic environment clearly weighed heavily on our results during the third quarter. We continue to take aggressive action to navigate these challenging times. We announced the closure of 21 under-performing stores during 2008, dramatically reduced capital spending for 2008 and 2009 and are executing appropriate operating expense reduction measures throughout the Company. These efforts are not only designed to position ourselves to weather near-term economic uncertainty but also to position Dillard’s well for the long term.”
Net sales for the quarter were $1.508 billion compared to net sales of $1.633 billion last year. Sales in comparable stores declined 9%.
Fred’s sees 3Q income growth
MEMPHIS, Tenn. Fred’s reported net income of $6.1 million, or 15 cents per diluted share for the third quarter 2008, an increase of 32% from net income of $4.6 million or 12 cents per diluted share in the year-earlier quarter.
Fred’s total sales for the third quarter of fiscal 2008 were $418.0 million compared with $419.9 million for the same period last year, with the year-over-year decline of 0.4% reflecting the company’s store-closing program. Excluding stores closed in 2008, total sales from ongoing stores increased 4% over the third quarter of last year. On a comparable-store basis, third quarter sales increased 1.4% versus 1.1% in the year-earlier period.