Tesco, Target, eBay, Office – all major retailers with a significant on-line presence and always seeking to understand what their customers want to buy, how they want to buy it, and what would make them buy more. The delivered retail experience and an intimate understanding of consumer psychology is where the retail battles are fought in 2014.
However, the latest eCustomerServiceIndex (eCSI)* survey from IMRG and eDigitalResearch revealed that more than half of the online shoppers surveyed asked for - not more loyalty cards, coupon schemes or just bigger discounts – but better on-line security.
Of course, all of the retailers mentioned above also have something else in common in that they have all recently been subject to security breaches involving customer payment cards or personal information.
The conclusion drawn from the findings by eDigitalResearch is as follows:
“Onus is very much on retailers to invest in and improve their security measures for their online customers – over two thirds (67%) expect organisations to contact them immediately (within 6 hours) by email or phone if security had been breached and it leads to a potential loss of data”
In other words, customers don’t just expect to be better protected, but are savvy enough to appreciate that breaches can still happen even with appropriate security best practices in place, and are wanting contingency plans in place that allow them to be notified within the same business day in the event of a breach occurring.
It speaks of a very realistic view on cyber security and one that is encompassed not only by the PCI DSS (which on-line retailers should be operating in order to meet agreements with their banks and the payment card brands), but all other security best practice frameworks.
These principles should be mirrored within non-stop security management solutions, which help organisations ‘harden’ their IT systems to render them less prone to attack by removing all known vulnerabilities, and in addition, put in place intrusion detection functionality as contingency.
In doing so, if a system is still breached despite all the defenses being enabled, the retailer would know that an attack has succeeded and ensure that other action can be taken to prevent the damage being any greater than it needs be.
If you consider that the breach at Target was only acted on after it had been operational for two and a half weeks, but during that period, over 40 million payment card details were stolen and 70 million customers had their personal identifiable information compromised, you can see why speed of detection is essential. If the 6 hour detection and notification deadline expected by customers had been met in this case, damage would have been minimal, rather than catastrophic as it has been.
Retailers would do well to listen to customers’ expectations and pay heed to the lessons learned by their peers. The growing consumer awareness of online security will ultimately expose those organisations that fail to take online security seriously to significant repercussions of brand damage.