OAKBROOK TERRACE, Ill. -- If a convenience-store retailer gets the dreaded phone call tracing a data breach back to his or her loyalty program, the responsible party may be an outside vendor who handles the customer information.
To avoid such a call, a retailer’s best bet might be asking tough questions to make sure the provider is handling the information as securely as if the retailer housed the data internally. Jarod Downing, CFO for Ricker Oil Co., Anderson, Ind., told CSP Daily News that retailers often rely on third parties to handle their loyalty programs, but the retailer still needs to take an active role in understanding the providers’ data-security measures.
“The retailer should ensure the contract between his or her company and the third party specifically identifies how the customer data is collected, stored and secured,” he said, advising that a retailer’s legal counsel review all contracts to ensure protections are in place if a breach occurs.
In a recent article from Foster City, Calif.-based eSecurity Planet, writer Jeff Goldman spelled out five ways retailers can protect themselves from data breaches involving vendor or third-party partners.
- Audit yourself. Get a better understanding of how third parties are accessing your system, where they’re connecting and what they’re doing. Review everyone with access to make sure third parties only have the necessary permissions.
- Audit your vendors. Ask critical questions of third parties to make sure they are meeting data-security requirements that the retailer would adhere to—and ask them to prove it.
- Audit again (and again). Companies often fail to follow up on data-security audits on a regular basis, often letting a year go by without circling back to make sure processes and procedures are still in place. Recommendations are for quarterly audits.
- Employ encryption and other technologies. One of the most successful ways of rendering data useless to hackers is if it’s encrypted. That way, even if data thieves gain access, the data is encoded and therefore unusable. Make sure that vendors with access to a retailer’s systems are employing any number of similar measures.
- Get it in writing. Put contractual “teeth” behind security measures by placing such language in contracts. Such wording could be complex or as simple as “this is how you’re going to connect to our systems.”
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.