By KRYSTLE CHOW
Published in the Ottawa Business Journal newspaper and website.
Feb. 5, 2007

Click here to view this article on OttawaBusinessJournal.com.

While it may seem like these are dangerous times for consumers who shop with credit and debit cards, the retail industry’s players say they are working hard to protect consumer data.

Consumers had a few security breach scares recently, first in mid-December when Winners and HomeSense parent company TJX Cos. discovered that hackers had stolen customers’ credit and debit card information from its network. This was followed by Talvest Mutual Fund’s mid-January announcement that it had lost a backup file containing sensitive client information.

“It’s happening quite often, and it’s worrisome for the consumer,” says bankruptcy lawyer Stanley Kershman of Perley-Robertson, Hill & McDougall LLP. “The consumer has reason to worry because if their information goes out online, it could potentially be used by fraudsters.”

Mr. Kershman says companies must be accountable for these breaches, and that more resources
have to be put into safeguarding consumer information because it’s “really gold.”

“If (the consumer information) were gold, people would put it into a safe and lock it up … they should do the same for this information,” Mr. Kershman comments, adding that hackers realize that accessing that data is “like getting into Fort Knox.”

The retail industry is far from being ignorant of this fact, says Retail Council of Canada spokesperson Derek Nighbor, although Mr. Nighbor acknowledges that the recent incidents have served as a wake-up call for businesses to do more to protect customers.

“There’s no doubt that retailers take consumer security very seriously, because it’s not in their best interest to be connected to a negative story which can lower customer confidence,” says Mr. Nighbor, who serves as the council’s vice-president of national affairs.

However, he notes that there has been more buzz around the Winners and HomeSense case because consumers are now more aware of privacy issues as more people participate in electronic transactions.

As well, new laws require retailers to publicly report security breaches, increasing public awareness of the issue.

So what is the industry doing to alleviate customers’ worries?

Mr. Nighbor says the first step for retailers is ensuring that merchants are not keeping more information on file than is reasonable, or keeping said information for an unreasonably long period of time.

He notes that some businesses may need data such as credit and debit card numbers and credit card expiry dates in case customers want to make a return or are reporting a fraudulent purchase, but cautions retailers against keeping this information on file unless absolutely necessary.

“There must be a reasonable reason why retailers are asking for this information and storing it, and they should only store it for a reasonable time period; they need to look at everything they do through a reasonable lens,” Mr. Nighbor says. “The more information you take on, the more the question arises if something happens of why you had to keep that information.”

Michael D’Sa, Visa Canada’s manager of data security and investigations, says retailers are actually prohibited from keeping any data other than credit card numbers and expiry dates, which include the security programs and codes used by the issuing bank and stored in the card’s magnetic stripe. These security programs can be used by hackers to glean more information about the issuing bank and how to circumvent its systems.

Mr. D’Sa agrees that the proliferation of electronic transactions means that retailers and consumers have to be extra careful about what information they keep, and what they do with it.

“There is a growing preponderance on the use of the Internet, and anything Internet-facing can be used by organized crime to probe companies,” says Mr. D’Sa. “All it takes is for a hacker to find a port open on the server … it comes back to the security of the perimeter.”

One company that helps retailers ensure that consumer data is tightly locked up is Third Brigade. Wael Mohamed, Third Brigade’s chief executive officer, says companies can better protect the information on their servers by first understanding current security trends and issues, and then by having several layers of protection surrounding the servers.

“The information which resides on a server is like the crown jewels, but these servers have holes that companies have to patch to ensure that hackers cannot compromise and steal the information,” says Mr. Mohamed. “So first you need to find where the holes are in the system, ensure there are extra layers of security, and if the layers cannot protect you, then (Third Brigade) protects the system itself.”

Mr. Mohamed explains that the first layer involves the security of the perimeter, which is usually protected by a firewall. The next layer involves the security of the network against intrusion, and the final layer that needs to be protected is the host itself, or the machine which contains the data.

“Unfortunately, the security world is a dynamic one, and hacker attacks can be very sophisticated, although the industry is moving in the right direction,” he says. “The most secure system is one which is not connected to the Internet, but that’s not possible today.”

Another step being taken to protect consumers’ financial data is a new initiative to move credit card users from credit cards with magnetic stripes to those with chips, which ensure that the information on a person’s credit card is encrypted. The chip-card technology is being rolled out at the end of this year, and is expected to reach “critical mass” by 2010, according to Visa Canada director of corporate communications Tania Freedman.

“France, which was one of the earliest users of the chip-card technology, has seen counterfeit fraud decline by 80 per cent since implementing the chip cards,” says Ms. Freedman. “We expect the same result here; it will be a major infrastructure change in Canada.”

As well, Mr. D’Sa notes that credit card companies are also looking to move from a signature verification system to a personal identification number (PIN) system, much like what is being used for debit cards.

At any rate, it is up to retailers to ensure that records are safeguarded appropriately and in the most up-to-date manner, says Mr. Nighbor.

“Some people may still be keeping paper credit card slips in shoeboxes, in which case they need to lock those shoeboxes up in a vault,” he says. “Whether it’s a small retailer in Barrhaven or a big-box store in Kanata, the standards are the same … and companies need to have a clear privacy policy in place. It’s a good proactive way to reassure customers that you take privacy seriously.”