The retail sector is undergoing profound changes to support digital commerce, personalization and automated buying experiences. It’s not hard to see why. In the US alone, e-commerce sales exceeded $1.1 trillion in 2023, a healthy increase of 7.6% on the previous year. Yet with digitization comes additional risk – primarily due to the wealth of highly regulated and sensitive customer data that retailers store and process.
The challenge for industry players is to keep regulators happy and breach risks to a minimum, whilst ensuring such data can be used to improve the customer experience and inform long-term business strategy. As two case studies show, comforte’s data-centric security approach and tokenization technology is the perfect fit for the industry.
Protecting the data that matters
Retailers collect a broad sweep of personally identifiable information (PII) including customer names, addresses and payment card details. According to a Verizon assessment of breaches in 2023, threat actors were most interested in payment (37%), credentials (35%) and personal (23%) data. And with 100% of those incidents motivated by financial gain, it’s not surprising to also see that the vast majority of attacks (94%) came from external sources.
Here’s how two different comforte customers approached their unique challenges:
Commercial City Fresko
This Mexican hypermarket giant owns popular brands such as s La Comer, City Market, Fresko and Sumesa – which collectively process over 30 million POS transactions each year on ACI’s BASE24 system. The company’s challenge was to get a new data protection system up and running for PCI DSS compliance within just six months – or risk regulatory fines, an increase in interchange fees, and reputational damage.
Other requirements included:
- A system compatible with HPE NonStop systems and ACI BASE24 environments
- A robust algorithm to replace parts of the PAN with tokens that hackers can’t use
- A secure vault using dual control that stores the relationship between tokens and PANs
- A system that can be plugged in without changes to existing applications
- Effective user authentication to mitigate insider and third-party risk
City Fresko chose comforte’s SecurDPS solution to tick all of these boxes and more. Its tokenization capabilities render sensitive data useless to hackers, while helping to meet PCI DSS requirements that no sensitive data resides on core enterprise components. As only authorized users can access the data, third-party vendor risk is also reduced. Overall, it has reduced the organization’s breach and PCI DSS compliance risks and helped to cement its reputation as a reliable and security-conscious partner.
A world-leading fashion retailer
This renowned fashion retailer, one of the world’s largest, has around 900 stores in North America, and accepts all major cards including – for the past three decades – its own private label credit card. However, after an unfortunate data breach, it needed to add an extra layer of protection to the encryption already used to guard card numbers and unique internal ID numbers associated with each card. Specifically, it was looking for a provider that could offer:
- A way to seamlessly extend data protection to cardholder PII, and potentially other data types in the future
- An operationally efficient method of data protection. The retailer found encrypting and decrypting data at various stages in its lifecycle across a high transaction volume (in-store and online) risked slowing down authorizations and damaging brand reputation
- A method of data protection that didn’t require the mass rotation of encryption keys for around one billion credit cards – which was adding a significant cost and operational burden
- A solution which enables data to be preserved in the same format when protected to retain its utility
The solution was comforte’s tokenization technology, which differs from classic encryption because it doesn’t require encryption keys or key management. This not only reduced the operational and cost burden of key management but also minimized the risk of sensitive data exposure.
Tokenization also supports utility because it effectively replaces a 16-digit credit card number with a 16-digit token, or an 11-digit phone number with an 11-digit token, for example. This allowed the retailer to use the data across the enterprise and throughout the lifecycle of each customer without compromising on security.
The result is that comforte has been able to reduce the retailer’s PCI DSS audit scope and put it in a strong position to comply with other data privacy laws in the US, both now and in the future.
That’s the peace of mind that retailers are looking for as they navigate the evolving regulatory landscape to achieve digital success.
