Data breaches: Will retailers step-up their game?

Jacqueline Renfrow

My eyes skim the headlines of what has become commonplace: another data breach at another retailer, customer information stolen by hackers.

As a reporter and concerned citizen, I wonder how many more retailers will be hit.

But as a consumer, I'm frankly not that concerned…yet.

Sure, I hear and read the stories of people's identities being stolen and how it damages their credit and financial standing for years. And while I don't want this to happen to me, the possibility is not enough to deter me from signing up for loyalty programs, joining membership shopping sites, checking the "save my information box" online, or openly swiping my credit or debit card at any cashier without thinking twice.

The need for quick and easy credit always wins out.

With that said, once a retailer reports a data breach, it doesn't mean I fully trust that brand anymore and I'm in no rush to return to their store. A breach can really taint a consumer's perception of a retailer and forever change that relationship. For retailers, that can mean an entire year or more sidetracked by a bad reputation and subsequent falling sales.

So this leaves retailers with no choice but to be honest and be prepared. As of late, the honesty seems to have made the front page, but the preparations, not so much.

Kmart, Bass & Co., Dairy Queen, Home Depot, Sally Beauty, Michael's, Supervalu and of course Target. The list of retailers reporting breaches just keeps growing.

I wonder, why does it feel inevitable—not "if "but "when" will my personal information get stolen? How are retailers fighting back and finally, are there more breaches happening in 2014 or are retailers just now divulging this information to the shoppers?

"It's actually both," said Suketu Gandhi, partner in the strategic IT practice at management consultancy A.T. Kearney. It seems the value of data has gone up in the black market, increasing the draw for criminals in the cyber hacking space.   

In addition, retailers have more tools in place today that help them know when they have been breached, noted Gandhi. That might not have been true before.

Then there is the question of openness and honesty. Should the retailer tell customers about breaches? Gandhi believes retailers need to ask themselves, "Do you think the information you have about your customers is theirs or shared?"

The financial services industry, for example, has kept personal information for years and successfully treated it as a commodity. But if not all retailers think about it this way and they see the information as a tradeoff for their service, the brand may not feel obligated to share what goes on with that collected information.

If a company does not disclose a breach and someone else does it first, a retailer's reputation could be hit even harder, Gandhi pointed out.

When a company does choose to divulge it has been hacked, the retailer needs to be able to give shoppers a clear understanding of the impact. "Precise disclosure is needed and you have to give me [the consumer] tools to manage if I have been breached," said Gandhi. "If you don't do this you will face a huge impact. It pushes people toward other channels that are more secure."

It's about transparency and empowering the individual customer.

So are retailers prepared for attacks or to handle the aftermath? Gandhi said that retailers who started in the pure e-commerce space began their companies with the underlying architecture to keep out these hackers and are, therefore, less likely to be hit. However, retailers moving into the e-commerce space often have a legacy problem—old system, unsecure data.

But "doing it right" and going back to retrofit old systems can be very expensive and beyond the knowledge scope of retailers.

"When the Target breach occurred 10 months ago, it should have spurred retailers to immediate action, as an alteration of the current payment architecture most retailers have in place was in need of obvious fixing," said Jeff Shanahan, president and CEO at CardConnect, a payments technology company. "Obviously, we're still witnessing signs that the proper changes are not yet in place. It would seem that a lack of awareness and questions surrounding integration are what is causing the delay. We're talking about new technologies that retailers may not be familiar with."

Once retailers are familiar with the proper technologies, the question becomes integrating the most-secure hardware into existing ecosystems without disrupting service, according to Shanahan. A retailer can't afford to incur interruptions in inventory or loyalty programs. "For large-scale retailers like Kmart, fully revamping the payment hardware used in each store can seem daunting, but it's a necessary change in order to avoid a breach, which is a much scarier and costly situation," he added.

But what's the alternative? Brand after brand being hit by a breach until consumers start changing the way they shop? Shanahan assures me that changes will most likely be put in place before it gets to that point. And in the large spectrum of retailers, just a handful of companies have a mess to clean up.

For now, credit and debit are still the preferred way for consumers to pay—until Apple Pay or bitcoin rise to the occasion. So while consumers will continue to purchase, as always, retailers need to do their part and take some first steps in data security protection.

"Retailers need to work backwards, always be two steps head," said Gandhi. Some retail IT departments are hosting "war games" to practice for the "what ifs." "But if you don't know where your vulnerabilities are, now that's ridiculous," he added.

Retailers need a short- and long-term approach, said Shanahan. Immediately, retailers need to make access to their outbound network as tight as possible. "For areas that contain sensitive data, this means an entire lock-down," he said.

In the long run, retailers should solidify a project that would remove the company from any raw credit card data. "The key is for a business to remove all real touch points with actual card numbers, thus safeguarding its customers in the event of an attack."

I side with Gandhi and Shanahan's optimistic view and continue to use a credit card at my favorite stores, both online and off. I believe these brands want to keep me as a loyal customer and are, therefore, moving forward with new security protections. -Jacqueline