Testing, Testing, Testing
Whether a retailer has directly experienced a data breach or watched the fallout from afar, chains industrywide still get chills when they hear details about the latest data theft. While retailers struggle to stay one step ahead of the hackers, there is hope. And this comes from constant internal testing.
I think it is fair to say that a majority of retailers have made it a priority to encrypt data and comply with PCI DSS (Payment Card Industry Data Security Standard). But it is not as if retailers had a choice.
The four major credit-card companies imposed the standard to protect cardholders against the misuse of their personal information. Retailers that weren’t validated by the late 2007 deadlines were subject to steep fines that, in some cases, reached $25,000.
While achieving PCI compliance is clearly important, the steps that retailers need to take to achieve data security run much deeper.
Here is the big picture: The PCI standard is just that—a standard. It is not a security measure. Just look at the fallout from the recent breach at Forever 21.
Forever 21 announced in September that its systems were illegally hacked sporadically in 2004 and 2007. Approximately 98,930 credit- and debit-card numbers were compromised.
On the upside, more than half of the lifted card numbers were no longer active. Hackers were after credit- and debit-card numbers and expiration dates, not customer names and addresses.
The retailer claimed it had been in compliance with PCI DSS since 2007 (a point that continues to be debated in the media), but that didn’t stop the chain from adding additional proactive security measures and regularly monitoring systems for intrusions after realizing the breach. It’s too bad they didn’t do more stringent testing sooner.
Cyber-thieves continue to target consumers’ personal data, and they are still using the same methods of retrieval: e-commerce sites, point-of-sale devices, gas pumps and ATMs. Consultants and freelancers, the masterminds behind inside jobs, simply use fake credentials to gain network access.
In Forever 21’s case, the hackers reportedly gained entry through a weakness in the data center. By the time Forever 21 was alerted to how they grabbed the sensitive data, it was too late.
That said, it is time to take ownership when creating security. There is no better way to establish this ownership than by stepping up and putting yourself to the test. Regularly testing for vulnerabilities, that is.
Data touches innumerous retail systems and nothing is immune to an attack. That’s why retailers need to have weekly and monthly “fire drills,” or staged attacks revolving around internal and external encryption, firewalls and virtual private networking.
Don’t be put off by failures. Detecting process breakdowns—and expertly fixing them—could make all the difference between thwarting a hack, and falling victim to one.
Please don’t misunderstand me. These hints are not the silver bullet to beating the bad guys. Hackers grow smarter by the day, and the industry struggles to stay one step ahead. Chains can no longer view security measures simply as a means to achieving some level of “compliance.”
Rather, it is the retailers that take a proactive, foundational approach that will find themselves with a much lower risk proposition.
Dillard’s 3Q loss widens
LITTLE ROCK, Ark. Dillard’s reported a third quarter net loss of $56 million, or 76 cents per share, compared to a net loss of $11.3 million, or 15 cents per share, for the same period last year.
Dillard’s ceo, William Dillard, II, stated, “The oppressive economic environment clearly weighed heavily on our results during the third quarter. We continue to take aggressive action to navigate these challenging times. We announced the closure of 21 under-performing stores during 2008, dramatically reduced capital spending for 2008 and 2009 and are executing appropriate operating expense reduction measures throughout the Company. These efforts are not only designed to position ourselves to weather near-term economic uncertainty but also to position Dillard’s well for the long term.”
Net sales for the quarter were $1.508 billion compared to net sales of $1.633 billion last year. Sales in comparable stores declined 9%.
Fred’s sees 3Q income growth
MEMPHIS, Tenn. Fred’s reported net income of $6.1 million, or 15 cents per diluted share for the third quarter 2008, an increase of 32% from net income of $4.6 million or 12 cents per diluted share in the year-earlier quarter.
Fred’s total sales for the third quarter of fiscal 2008 were $418.0 million compared with $419.9 million for the same period last year, with the year-over-year decline of 0.4% reflecting the company’s store-closing program. Excluding stores closed in 2008, total sales from ongoing stores increased 4% over the third quarter of last year. On a comparable-store basis, third quarter sales increased 1.4% versus 1.1% in the year-earlier period.