More Customer Data Missing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:35 AM

More Customer Data Missing

Retail Ventures and Ameritrade report data mishaps, but a new standard backed by credit-card companies could raise the bar on data protection

Retail Ventures Inc. has joined a growing list of businesses that have revealed embarrassing episodes of lost or stolen customer data.

The company reported last week that personal information from 108 stores of its DSW Shoe Warehouse subsidiary was stolen. When it first reported the theft last month, it said 103 stores were involved. Information, including account numbers, names, and transaction amounts, was stolen on 1.4 million credit cards used to make purchases at DSW stores, mostly between November and February.

Information also was stolen on 96,000 checking transactions, including checking account and driver's license numbers. However, customer names, addresses, and Social Security numbers weren't obtained, Retail Ventures says.

Earlier this month, Polo Ralph Lauren Corp. revealed that a software glitch was to blame for a security breach that prompted HSBC North America to notify holders of its General Motors-branded MasterCard that their personal information may have been stolen. Polo Ralph Lauren repaired the glitch and says there's no evidence that any theft has occurred.

Not only are companies compromising security because of credit-card snafus, they're also misplacing data. Last week, Ameritrade Inc. said it misplaced four backup tapes. Three were recovered, but the fourth remains missing. The online-trading company has alerted 200,000 current and former customers whose information was stored on the tape. The incident echoes a case involving Bank of America Corp., which said in February that it lost an undisclosed number of backup tapes.

Earlier this year, the major card companies--American Express, Diners Club International, Discover, JCB International Credit Card, MasterCard International, and Visa International--handed down a set of requirements for securing cardholder information based on the Payment Card Industry Data Security Standard, which became effective in January. Card companies such as Visa and MasterCard have set compliance dates for the standard.

The card companies have instructed merchants not to store the contents of a card's magnetic stripe, or the three-digit card-validation code on the back of a card. They also have instructed merchants to store all sensitive data in a secure area limited to authorized personnel.

Each card company has implemented its own program under the standard; MasterCard's, for example, is called Site Data Protection, and Visa's is called Cardholder Information Security Program.

The programs categorize merchants based on annual transaction volume. Visa, for example, defines "level one" merchants as those that process more than 6 million transactions a year or have suffered a hacking attack. Level-one merchants must conduct an annual on-site security audit, a quarterly network scan, and an annual self-assessment questionnaire.

It's critical that retailers take every precaution to protect sensitive customer information, Financial Insights analyst Sophie Louvel says. "That information should be encrypted and stored at an off-site database," she says.

Maintaining confidential data at a facility without proper safeguards is a questionable policy, exposing the retailer to liabilities, says Gary Praegitzer, network administrator at privately owned Jelly Belly Candy Co., which sells its products wholesale as well as directly through the Web and a small number of retail stores. "I can't think of a valid reason why any brick-and-mortar business would want to risk it," he says.

Jelly Belly has installed software from Qualys Inc. to protect its Web site from hackers and to comply with MasterCard's Site Data Protection program. The Web site generates about 1% of the company's $150 million revenue.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll