Running an environmentally-conscious shop involves being mindful of how it affects the planet. An eco-conscious shop, or other small boutique shops that are committed to caring for the environment should extend the same level of attention to their customers' data.
While it is safe to say that most eco-centric retailers only collect a small amount of information regarding their customers, shops must be aware that all retailers (including eco-oriented shops) have just as much of a cyber attack target placed on them as other shops. Below, you will see a checklist of the areas of focus you should have when securing customer data without adding unnecessary complexity.
Start With Payment Types and Limiting Customer Information
The most secure customer information is the information stored nowhere. Therefore, when you process a customer's payment, ensure that you are using well-established payment processors that use tokenization of cardholder data, such as those provided by Visa, MasterCard, American Express, and Discover. Because cardholder data never resides within your system(s), this reduces your level of potential liability for identity theft/hacking incidents. Closely review the type of customer information you collect. Dismiss any fields of information collected that do not pertain directly to the checking out experience, shipping process or necessary compliance with state or federal laws. You also need to construct policies surrounding customer account retention that will not allow accounts created and never used, abandoned shopping carts and inactive email lists to accumulate indefinitely.
Lock Down Access with MFA and clear permissions
Ensure that you obtain full administrative access to your e-commerce Platform, POS system, and Accounting Program through Multi-Factor Authentication. This is usually the first step that leads to breaches caused by individuals obtaining username or password access to a retailer's online system or Merchant Account. Most retailers fail to adopt correct security protocols for disposing of employee accounts.
In addition, access permissions must be assigned according to employee roles. For example, a cashier does not need the same level of access or privileges that an inventory control officer does. Therefore, quarterly security review of employee access is a crucial step in ensuring that only appropriate employees will have access to sensitive company information and data.
Use Encryption for All Data / Backups
Encryption must be performed for both the transmission of customer information and when the data is ‘in storage’. You should always use HTTPS-enabled websites, and back up any of your client records, data exports and related files in encrypted cloud-based storage. You should also back up your store data as it is critical to maintaining the integrity of your data. Perform automatic data backup for encrypted backups and test to confirm the backups are working properly at least quarterly.
Be Selective With Apps, Plugins, And POS Add-ons
Understand which apps, plugins, and POS add-ons you really need, as excessive use can create security risks and increase the chance of an intrusion into your digital assets.
Eco retailers may use plugins to manage inventory, shipping, loyalty programs and reporting. While they add convenience to operations, plugins increase the risk of attacks. Consider reviewing the available options to determine what professionals consider the best threat intelligence solution for tracking vulnerabilities, bad integrations, and emerging attack patterns. Keep a comprehensive inventory of plugins along with their versions so that when an update alert is received you can quickly patch systems. This is an important aspect that, when overlooked, can become a major security issue.
Your security is only as good as your vendors. All vendors, such as your POS provider, email management tool, shipping software, and any marketing platforms you use, should be assessed based on their basic security practices, including encryption, access control, and incident response processes. A vendor checklist is a great place to start.
Train Staff And Plan For Incidents
Employee awareness cannot be replaced by technology. All employees should be trained on recognizing phishing attempts, verifying requests for refunds and requests for changes to banking information as well as never emailing sensitive information. It is better to provide short, repeatable training sessions than one long training session.
Always be prepared for something to eventually go wrong. Having an incident playbook with contact information, instructions for isolating systems, and instructions for communicating with customers will prevent confusion for a few days when things do not go as planned. Keep your playbook to one page and review it every year.
Do not Forget About Supplier/Cloud Risk
Your level of security is only as good as the vendors with whom you do business. Review the security processes of your POS provider, email tool(s), shipping software and marketing platforms to verify the use of encryption, access control, and incident response policies. A short vendor checklist will provide great benefit.
Endnote
Safeguarding customer information will not compromise sustainability. Eco-conscious retailers can establish loyalty among customers by limiting the amount of data collected, implementing strict security measures for stored data, and staying vigilant against the potential risks associated with third-party partnerships. Consider the above tips to maintain your eco-conscious status without putting your clients at risk.
