By Beth McGarrity

This week kicks off NRF 2012, one of the largest shows for retailers, where new technologies, solutions and offerings are announced all week long.  In fact, we just announced a new integrated solution for Columbia Sportswear to secure payment transactions across 54 retail locations.  So, when I was scanning headlines today, I was surprised to see that Zappos.com was in the headlines, but not in a positive way.  The major online retailer had fallen prey to data thieves.

Yet, as I continued reading, a statement caught my eye –

Zappos said that hackers gained access to customers’ names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Bravo! Well done. In most of the big retail breaches that we’ve blogged about here, our main message has been to remove sensitive card data from the network.  Most retailers continue to leave information on their servers that contain payment card details, and often this information is forgotten.  So when a hacker gets into the network, they hit a gold mine.

While Zappos is still a victim of a hack, they stored all payment details on a separate server and therefore were able to contain the impact to their customers.  Whenever we have discussions with merchants, we often make the recommendation that they securely store all necessary payment data in a server outside of their network, so that it can not be accessed by a thief that may break in.  It also reduces a retailer’s cardholder data environment, which eases the burden of PCI compliance.

Comments

There are 2 comments for this post.

  1. vbuk on January 28, 2012 9:14 am

    Just because zappos were compliant to pci and no cc#s were breached doesn’t mean zappos is safe. Per the ponemon data loss survey the estimate cost to remediate currently stands at $1.4bn… Which is $.1bn less than what amazon paid to buy them…

    CFO’s should take note… You control the budgets for security…. Can you handle the potential impact to your bottom line??

  2. Beth McGarrity on January 31, 2012 12:28 pm

    Thanks for the comment. Absolutely agree that the cost of a breach is too high for companies to ignore and that proactive steps must be taken to protect the data of customers. Security cannot be ignored and each day we see a new breach in the headlines we are reminded of it.

Write a Comment