Retail Ventures and Ameritrade report data mishaps, but a new standard backed by credit-card companies could raise the bar on data protection
Retail Ventures Inc. has joined a growing list of businesses that have revealed embarrassing episodes of lost or stolen customer data.
The company reported last week that personal information from 108 stores of its DSW Shoe Warehouse subsidiary was stolen. When it first reported the theft last month, it said 103 stores were involved. Information, including account numbers, names, and transaction amounts, was stolen on 1.4 million credit cards used to make purchases at DSW stores, mostly between November and February.
Information also was stolen on 96,000 checking transactions, including checking account and driver's license numbers. However, customer names, addresses, and Social Security numbers weren't obtained, Retail Ventures says.
Earlier this month, Polo Ralph Lauren Corp. revealed that a software glitch was to blame for a security breach that prompted HSBC North America to notify holders of its General Motors-branded MasterCard that their personal information may have been stolen. Polo Ralph Lauren repaired the glitch and says there's no evidence that any theft has occurred.
Not only are companies compromising security because of credit-card snafus, they're also misplacing data. Last week, Ameritrade Inc. said it misplaced four backup tapes. Three were recovered, but the fourth remains missing. The online-trading company has alerted 200,000 current and former customers whose information was stored on the tape. The incident echoes a case involving Bank of America Corp., which said in February that it lost an undisclosed number of backup tapes.
Earlier this year, the major card companies--American Express, Diners Club International, Discover, JCB International Credit Card, MasterCard International, and Visa International--handed down a set of requirements for securing cardholder information based on the Payment Card Industry Data Security Standard, which became effective in January. Card companies such as Visa and MasterCard have set compliance dates for the standard.
The card companies have instructed merchants not to store the contents of a card's magnetic stripe, or the three-digit card-validation code on the back of a card. They also have instructed merchants to store all sensitive data in a secure area limited to authorized personnel.
Each card company has implemented its own program under the standard; MasterCard's, for example, is called Site Data Protection, and Visa's is called Cardholder Information Security Program.
The programs categorize merchants based on annual transaction volume. Visa, for example, defines "level one" merchants as those that process more than 6 million transactions a year or have suffered a hacking attack. Level-one merchants must conduct an annual on-site security audit, a quarterly network scan, and an annual self-assessment questionnaire.
It's critical that retailers take every precaution to protect sensitive customer information, Financial Insights analyst Sophie Louvel says. "That information should be encrypted and stored at an off-site database," she says.
Maintaining confidential data at a facility without proper safeguards is a questionable policy, exposing the retailer to liabilities, says Gary Praegitzer, network administrator at privately owned Jelly Belly Candy Co., which sells its products wholesale as well as directly through the Web and a small number of retail stores. "I can't think of a valid reason why any brick-and-mortar business would want to risk it," he says.
Jelly Belly has installed software from Qualys Inc. to protect its Web site from hackers and to comply with MasterCard's Site Data Protection program. The Web site generates about 1% of the company's $150 million revenue.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.