It’s 10:00 p.m. Do You Know Where Your Customer Data Is?


It’s 10:00 p.m. Do You Know Where Your Customer Data Is?

By Matt Hauser and Mark Hagerty,

Retail TouchPoints Blog - March 17, 2014

How many times have we seen a variation of this headline in the past few months: “[Insert major retail brand here] suffers data breach.” It’s beginning to border on boring news; we’ve grown so accustomed to these sorts of slip-ups, that while they’re certainly concerning, we’re increasingly comfortable simply chalking them up to yet another crafty criminal at work and going on with our days.

But we’ll let you in on a secret. In these data breach situations, the criminal doesn’t necessarily need to be all that crafty. More often than not, these events are the result of a retailer that didn’t do its homework when it came to vetting and choosing its vendors. Perhaps said retailer ended up partnering with a vendor that claimed to be operating under the strictest levels of security, when in reality, it was operating under the cyber equivalent of a fake window sticker claiming round-the-clock surveillance.

There are many methods for these half-hearted certifications. Security companies can do scans on a site and say that it passed, but do you really know what they’re scanning for? More often than not, they’re checking for the obvious vulnerabilities and not a whole lot more. There is really only one method for the highest level of security: Payment Card Industry (PCI) DSS compliance, including an onsite assessment. Obtaining this certification is not an easy task for a vendor. It requires an extensive third-party audit by a Qualified Security Assessor (QSA), who comes in to assess every element of data security, including external and internal testing of all aspects of the network and servers, checking off every possible hole or weakness on their list. The QSA examines the vendor’s source code and software development procedures, speaks with the company’s employees to ensure that best practices are in place to avoid security risks, and ensures the company has in place the highest standards of ongoing security measures, such as two-phase authentication for all data access points. The process takes about three months of rigorous review and non-stop scrutiny. However, if the vendor passes, it’s listed online with the other successful candidates by the credit card companies as being a PCI-compliant service provider. As you can imagine, this stamp of approval comes with substantial benefits.

Now picture you, the retailer, are trying to determine which vendors to work with for your various needs. You’re sorting through translation services and payment software options and hosting platforms, and you think to yourself, “Well all of our vendors tell us they have PCI compliance, so let’s look at some other criteria to pick the best partner.” Unfortunately, this flawed logic could very well have serious consequences. The ugly truth is that most vendors will claim PCI compliance because they use a PCI compliant hosting facility.  But the reality here is that just isn’t enough to ensure the highest level of protection for your customer’s data. What you need is a company that not only uses a PCI compliant facility (you want all potential touchpoints to have been audited which includes the hosting facility), but also extends to the vendor’s actual application(s), servers, and the access controls that the vendor uses to interact with and protect your data. In short, when your customer data passes through the cloud, what happens to it and how is it protected when it reaches its destination? Suddenly the value of a truly PCI DSS-compliant vendor will become exceptionally apparent.

As a retailer, you need to recognize that working with a particular vendor can and should go far beyond the bare minimum levels of service. Retailers, particularly global brands working with a variety of service providers, should be able to trust their vendors to match their levels of commitment, align with their business goals, and stick to their same levels of accountability. It is this ideal degree of partnership that you need to consider when doing your vendor shopping. After all, if you can’t confidently rely on your vendors to keep your customer data safe, what right do you have to ask those same customers for their business?

Mark Hagerty, Chief Technology Officer: Prior to joining in 2003, Mark Hagerty was the Director of Software Development at eTranslate, directing the development of the industry leading GMS technology that was eventually acquired by Prior to that Hagerty worked for 8 years as a senior software engineer and manager at Adobe Systems, Inc. Hagerty has 20 years of software development experience and is responsible for the technology vision and solutions that make an industry leader. 

Matt Hauser, VP, Content Solutions: A 10-year plus veteran of the localization/translation industry, Hauser has overseen all facets of technology sales and marketing for TransPerfect and since 2007. Hauser's Content Solutions Team works closely with the entire global sales force of the TransPerfect family of companies to ensure that the proper combination of GlobalLink applications is being presented to both current and prospective clients. Hauser also takes an active role in managing enterprise engagements that involve technology, is involved in both development and implementation of technology-related sales and marketing strategies, and coordinates partner and alliance activities related to GlobalLink. Hauser began his career with TransPerfect in 1996, handling sales for enterprise document translation for the Southeast Region, and moved into web site localization and technology sales in 1999 with is the only translation vendor listed as PCI compliant on the MasterCard and VISA websites for the third year in a row. Drop us a line if you’d like to hear more.

Close Button

Family of Companies

Close Button

Select Your Language

The Americas Europe Africa & Middle East Asia Pacific