PCI Isn’t Enough — How Retailers Can Truly Protect All Sensitive Data

  • March 7, 2019 at 3:14 PM EST
  • By Jim Barkdoll, TITUS
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email

When many of us think of sensitive data, we automatically think about credit card information. But what about all the rest? As recent data breaches taught us, hackers and bad actors can do quite a bit with other types of personal information, such as user names, passwords, addresses, phone numbers, birth dates and so on. As more retailers embark on a truly hybrid sales strategy that encompasses an online presence as well as a brick-and-mortar store, they find themselves with a wealth of sensitive information. So how can retailers keep that information safe?

Payment Card Information (PCI) regulations cover credit card data during transactions, but do nothing to protect that information after a business has stored it in its IT systems. When PCI regulations were introduced, they were hailed as a great leap forward in ensuring that businesses maintained stringent levels of safety around payment cards. But since that time, we’ve seen an explosion in the online marketplace, which has made existing security regulations like PCI confusing to implement because they’re usually either limited or too broad.

This issue is further compounded by the fact that while existing security technology can offer some support, both expertise and software come at a very steep price.


Better Security In An Age Of Low Margins

It has been just over five years since the infamous Target breach, which was, at the time, one of the largest breaches of customer data in history. Though promises have been big, in reality, little has changed in terms of how retailers protect their sensitive data.

Most retailers would protect their customers’ data if it were free and easy. However, brick-and-mortar stores especially tend to be low-margin businesses, and data security solutions are expensive and do nothing to increase revenue. The result: Security is not usually a high priority until a breach occurs.

That’s why, when it comes to data protection, many retailers are forced to ask themselves, “How good is good enough? How can I maintain my margins, yet keep my data safe?”

Others think they are covered because they implemented an advanced security solution six or eight years ago. The reality is that six or eight years ago is a lifetime for technology, so most solutions considered advanced back then are, at best, now barely adequate or, at worst, obsolete. Most retailers hold on to outdated or very basic technology for as long as they can to minimize costs; however, these systems can make them even more vulnerable. The vendors that sold these systems rarely continue to provide security or support for systems so long in the tooth. In addition, cybercrime has gotten more and more sophisticated, far surpassing the protections of early security solutions and even unlocking specific protections in some cases. The result: Information on these systems is woefully secured, meaning it’s a matter of “when” and not “if” a data breach will occur.

Consumer Demand Forces Modernized Regulations

Another challenge is that the retail sector lacks modernized, industry-specific regulations for information handling like those implemented in other industries, such as the financial or health care sectors. Stringent security procedures are now built-in and expected for financial, health care and manufacturing organizations, yet not for retail.

The General Data Protection Regulation (GDPR) and state-specific regulations are a good start and resulted from a powerful place — consumer demand. While years ago consumers did not seem as concerned about the protection of their personal information online, the Equifax breach and the scandal involving Facebook and Cambridge Analytica brought about a significant shift in consumer attitudes toward how their data is managed, secured and stored. Brands that have suffered data breaches or, more recently, have been fined because of their failure to adhere to GDPR or other regulations may face consumer backlash, which can be difficult to recover from.

Next Steps To Right The Ship

There are a few key steps for retailers to move from being on the verge of a data breach to feeling confident in how sensitive data is stored and protected.

  1. Modernize existing regulation mandates. Unfortunately, regulation continues to drive most security behavior rather than a desire to simply be good data stewards. So first and foremost, industry regulations such as PCI need to be improved to help ensure continued and consistent adherence to security policies and practices. In addition, nations and states that have not yet passed data privacy laws need to investigate developing such legislation. Regulation ensures a continued and consistent adherence to security policies and practices. Once businesses become aware of the potential risks of noncompliance — severe fines, damage to their brand, liability to customers — they will be more willing to implement data protection strategies.
  2. Prioritize data security investments. Investing in security must be a priority for retailers, despite the expense. Implementing effective data protection solutions is critical. Businesses need a clear understanding of what their sensitive data is, where it resides within their systems and if/how it is currently protected. They need to understand who has access to which information, both internally and externally.
  3. Understand current technology investments. An audit of existing security investments is another critical step toward true data protection. Perhaps a retailer has a firewall. Great. Maybe they also have a data loss prevention (DLP) solution. But are these technologies working together? Or are they sitting in silos? Digital data security solutions can help integrate all elements in a data protection system across an organization, providing checks and balances and ensuring that nothing slips through the cracks.

Consumer Pressure Will Induce Change

Aside from the steps above, there’s one other group with the power to demand greater data security — consumers. With the ever-increasing number of data breaches today, a strong security strategy may offer a competitive advantage and help draw in new customers. Customers who are confident their personal information is safe may be willing to pay extra for goods or services, which would help defray the costs of implementing security technologies. But the benefits need to be made clear. Consumers must understand that PCI regulations protect their information only during transactions. They need to know that without added data protection, their information is vulnerable to cybercrime.

Undoubtedly, we will reach a point where enough breaches occur and enough customers sound the alarm, and governments will be forced to develop stronger retail regulations. And stronger regulations will go hand in hand with integrated data protection solutions that help the industry comply with them.


Jim Barkdoll is the CEO of TITUS. He leads the overall vision, growth strategy and go-to-market initiatives of the company. He most recently served as TITUS’ chief revenue officer where he led the global sales operations, marketing and customer success teams. Barkdoll has over 20 years of business development and executive leadership experience with an established track record of successfully growing teams and revenues within channel, SMB, midmarket and enterprise accounts. Prior to TITUS, Barkdoll was EVP of Sales at Toushay Inc. Prior to Toushay, he served as VP, Americas with BlueCat Networks, Inc. and spent 10 years with Quest Software in a variety of senior management roles.


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below:

Access The Media Kit