If there is a silver lining to the Zappos Retail Inc. data breach, it may be that more merchants, including the shoe-marketing giant, have taken key steps to prevent thieves from stealing customers’ full credit card account numbers, which will blunt potential losses.

The bad news for merchants is the growing awareness that scrupulously following the Payment Card Industry Data Security Standard guidelines no longer is enough to protect against hackers seeking other types of stored customer information useful for perpetrating fraud.

“The target for hackers is expanding,” Todd Thiemann, senior director for product marketing at San Jose, Calif.-based Vormetric Inc., a leading provider of data-encryption services for merchants complying with the PCI standards, tells PaymentsSource. “It’s not just card data hackers are after anymore, as the value rises for other personal customer data, including email addresses, phone numbers and addresses, that can be used to commit fraud.”

Security experts say data-stealing malware attacks over the last year are on the rise (see story).

In a departure from some other high-profile data breaches in recent years, this time thieves stole only the last four digits of consumers’ credit card numbers, Zappos told some 24 million customers in a Jan. 15 mass email. Zappos, an Amazon Inc. unit, is one of the world’s largest online footwear and accessories sellers.

Zappos in its email said an unauthorized party may have obtained “one or more” elements of customers’ personal data, including names, email addresses, billing and shipping addresses and phone numbers, along with the last four digits of credit card numbers.

The Zappos breach has some similarities to an incident at email marketing company Alliance Data Systems Corp.’s Epsilon unit in March, in which customers’ emails and other data were exposed, raising the threat of identity fraud and phishing scams (see story).

Although details are scanty and Zappos executives were not available for comment, security experts say it appears that Zappos was in compliance with PCI standards, which require companies handling payment card data to encrypt full credit card numbers or avoid storing the entire number in case of unauthorized data exposure.

And despite the headaches PCI compliance caused in recent years, merchants are now reaping the benefits.

“This incident shows that merchants are definitely getting better about protecting card data,” says Jose Diaz, director of technical and strategic business development for Weston, Fla.-based Thales e-security, which provides encryption technology for a broad range of clients, including resellers of advanced data-encryption products. “It is a sign of real progress for PCI adoption.”

But merchants now face the escalating risk of other types of consumer data they may leave exposed.

Zappos urged its customers to create new account passwords, and warned them to beware of e-mail or telephone scams that might attempt to use data obtained in the breach to extract further data they could harness for fraudulent purposes.

That may not be enough, Thiemann suggests.

“The Zappos incident shows that companies really need to consider encrypting all types of customer data, not just payment card data, because of the growing number of data breaches and overall risk unencrypted data poses,” he says.

It could be the beginning of more technology headaches for merchants.

But once companies have invested in the infrastructure to enable advanced data encryption, the investment to expand that technology to other data is relatively affordable, Diaz says.

“Once there is infrastructure in place to encrypt data and to protect that data through hardware-security modules and secure keys, it is not hard to expand it to other types of data, and that may be what companies that deal with a lot of personal customer data may need to do,” he says.

So far, PCI standards require no encryption of broad types of customer data, including e-mail and shipping addresses and phone numbers, Diaz notes. But for merchants that want to fully protect data and avoid costly problems, “encrypting all types of consumer data is a good practice,” he says.

What do you think about this? Send us your feedback. Click Here.


Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry