There will be a lot of heated discussion around who owns consumer (shopper) data.
Thierry Denis, president of Ingenico Group in North America
As we count down to the October requirement that all US merchants move to EMV (chip and pin) transactions, a number of things become important to consider if you are a merchant who accepts credit or debit cards for consumer purchases.
In an article dated today, Thierry Denis comments about the impending deadline and some of the key changes in the way data is managed and handled.
Small and mid-size businesses need to take the impending deadline seriously, and start to prepare for implementation now. Waiting until the deadline is imminent has a number of consequences that are more dire in the case of a breach than the cost of implementing a working solution.
Liability for transactions found to be fraudulent will shift from issuing/acquiring banks to the merchants for these transactions and the costs could be significantly more expensive than investing in new hardware/software/platform solutions to prevent such a breach. No merchant wants to wake up to a bill for such a breach — especially in light of the Minnesota court that has determined Target can and will be forced to defend itself against customer claims (and bank claims) — litigation alone that will run into the millions of dollars, before a single dollar is paid out if it’s found to be liable for the breach.
On the flip side of this coin, there sits the data, waiting to be awarded to one of the parties involved in the transaction, and determining the ownership of that data will be tricky indeed; merchants expect that their customer data belongs to them, and that they can do with it as they please. Unfortunately the card associations, banks and processing gateways don’t always see it that way.
PCI compliance requirements mean that sensitive data (not limited to card numbers and expirys) must be stored securely and only certain levels of access are granted, mostly based on a need to have qualification. More banks and processors, both on the issuing and acquiring side, will be pressing for merchants to have less access to data, especially merchants who are not PCI compliant on their own.
What does this mean for merchants?
First, read the fine print. Your contract with your gateway, aggregator (Paypal, Stripe, Square, etc), acquiring bank (the bank that provides you with a merchant account number) should detail what level of security you are bound to comply with, what methods are considered acceptable, who in your organization (if anyone) is allowed to access sensitive data, and what usage of the data is considered normal business practice.
Second, explore alternative methods of data collection that allow you to retain the data you need to run your business, without exposing yourself to excessive risk. Then determine what level of access your employees should and do have to this data and safeguard it. Many companies have found their customer list stolen and sold by lower level employees who never should have been able to access this information.
Third (and most important), consider your customers when making these decisions. Respecting their privacy, maintaining safeguards over their records and selectively applying collected data to future marketing is key to acquiring and retaining a loyal customer base that appreciates your efforts and rewards you for them by giving you more of their hard earned dollars. Geo-fencing, beacons, email marketing, rewards marketing – each of these has a place in your overall marketing plan; each should be used in tandem with best practices guidelines and a healthy dose of common sense.
The upcoming year offers a slew of opportunities for smart business owners and each one starts with an individual (business owner, manager, marketing department head) doing the research into what data is available, how it’s collected, and what disclosures have been made to consumers about the collection and use of the data. A written plan for usage and security of the data should be created, updated when needed and distributed to all employees who may have access to or the need to communicate with customers via this data collection.