The same multichannel shopping and payment experiences that are designed to reduce cart abandonment may also pose hard-to-spot vulnerabilities that can threaten information security.
The problem is the movement and storage of consumer data as transactions, CRM and marketing are handled in different channels simultaneously, and how a company's staff can inadvertently create risk through mundane work tasks, according to Todd Feinman, the CEO of Identity Finder, a New York-based data management company.
"Organizations store a lot of data and very little of it is deleted and it's being shared and it's moving around the organization," Feinman said, adding the recent spate of large data breaches became worse because there's a lack of understanding of the volume of data and how to isolate it within an organization.
Identity Finder has updated its data exposure diagnostic system to accommodate updates in Payment Card Industry data security guidance, as well as state regulations governing data protection in Massachusetts and national regulations governing health care data. But Feinman recommends looking beyond compliance to focus on user access and storage to further isolate sensitive data, so there's less chance of accidental exposure.
"Sensitive information leaks out at a rate that's quite alarming," Feinman said, adding most organizations need to understand the scope of the data. Tokenization masks data in a payment environment, but it may still exist in plain text in other systems. "And if nobody has accessed a piece of data in five years, why do you still have it? Most organizations say the more data the better, but that's not true," Feinman said.
Data exposures can be caused by malicious email attachments, USB drives, work communications, data that's stored longer than it has to be, or inconsistent levels of protection in different channels, Feinman said.
"If there's an email with financial information, and you take it off of your computer and reference a spreadsheet, and then forward that email, all of that information goes through the Internet and to the recipient," Feinman said, adding protecting a payment doesn't necessarily shield a company from card data losses in this case. "The recipient and the sender keeps a copy of that email in their program. That's several different places where that information can wind up."
Identity Finder's data management platform identifies where sensitive data is inside an organization, and how it got there. The goal is to isolate data through firewalls and access controls, to prevent intentional and unintentional leaks, which are becoming more prevalent as companies attempt to serve consumers in-store, online and on mobile devices through a mix of legacy systems, mobile payment technology and cloud delivered gateways.
There is technology that can prevent "classified" sensitive data from being copied to USB drives or can block data from being uploaded to a cloud, but organizations need to first identify where their sensitive data resides Feinman said.
The complexity of combining mobile commerce and in-store payments with hosted technology systems is leading companies to collaborate on broad security strategies and enable integration of different products. Identity Finder partners with companies such as Intel to manage access controls and how different employees can access and use sensitive data such as Social Security numbers and account information. And Experian this week opened its technology development to spot and combine different security programs to mitigate data breach risk and other crimes.
The mix of channels, devices and users creates a need for a detailed approach, according to Al Pascual, senior vice president and research director at Javelin Strategy & Research. "The solution for any business has to be a mix of security technologies, but the particulars of which solutions should be used and where they should be applied requires an in-depth understanding of the business," Pascual said.
The environment is ripe for collaboration and diagnostic services, according to analysts.
"I think a great analogy is having one doctor that has visibility into the big picture of a patient's health," said Julie Conroy, a research director at Aite Group, adding a group of five specialists won't be able to see potential gaps or medication conflicts. "The IT infrastructure at large merchants and banks is so complex that there is significant value in having an entity that is specifically tasked with analyzing the bigger picture."