Outsourcing data security one option for small retailers

The best bet for small retailers that generate enough sales to come under Visa and MasterCard's new requirements to secure their Web sites and databases may be to farm out the work, suggested one consultant.

"Compliance is easier for retailers who outsource," said Chris Noell, vice president of business development at Solutionary Inc., a managed security services firm based in Omaha, Neb. Retailers that do choose to outsource-should make sure that their service provider is in compliance with the new rules.

All retailers who transmit, process or store credit card data are required to comply with the PCI Data security Standard, a set of requirements designed to protect consumers' and retailers' information.

Both John Verdeschi, vice president of e-business and emerging technologies at MasterCard, and Noell recommend that retailers check out the MasterCard and Visa Web sites, both of which have a number of downloads. Visa's can be found at usa.visa.com and Mastercard's at https://sdp. mastercardintl.com. The Visa site includes a self-assessment test for merchants aimed at helping them figure out what is required of them and how to comply. Noell recommends that all small retailers take the test.

Small retailers often take on too much risk, Noell said. "Often, they inadvertently store too much cardholder data, assuming more risk than is necessary to operate their business," he said. "Or, they make an in-house outsource decision without respect to security costs and liability. As a result, an internal solution may appear to be more cost-effective, but end up exposing the retailer to significant security costs to avoid liability."

Two recent security breaches that gained public attention involved Polo Ralph Lauren, where information about 180,000 people was reportedly compromised; and shoe retailer Designer Shoe Warehouse, which involved the theft of information from more than 1.4 million credit cards and 96,000 check transactions. In December 2004, three men were sentenced from 26 months to nine years for stealing credit card information from home improvement store Lowe's Cos. Inc. in 2002 through 2003. Lowe's system was hacked through one if its Michigan stores to its North Wilkesboro, N.C.-based IT systems.

Copyright United Publications, Inc. Jun 2005
Provided by ProQuest Information and Learning Company. All rights Reserved