4 ways to keep personal data locked down

If you think hackers want your customers’ credit card numbers, think again. In a recent study on data breaches, the No. 1 type of information stolen by far is a password. Second are emails and third are usernames.

Cyber criminals can take information accessed through this kind of personal data and apply for a wallet full of fraudulent credit cards, say officials with Conexxus, the Alexandria, Va.-based tech advisory arm of convenience and fuel retailing association NACS.

“Living in the cyber-connected world, data can quickly and easily transmit anywhere at any time,” says Jarod Downing, CFO of Ricker Oil Co. in Anderson, Ind. Knowing where data resides leads to ways to protect it.

1. Payment data

What:  Credit- and debit-card numbers, including “track data” found on magnetic-stripe payment cards.

Where:  Point-of-sale, higher-end personal ID number pads, electronic payment server, back-office computer, company network and central database or server. Other devices with network access also could view data.

Ways to protect:  Make sure all devices have application control capabilities to “white list” programs. This allows only predetermined programs to operate. Other tactics include data encryption and segmenting the payment network.

2. Loyalty, marketing and sensitive data

What:  Information collected to run loyalty programs and communicate special promotions and internal information on pricing, sales and strategies.

Where:  POS, PIN pads, network, back-office computers, employee laptops and mobile devices and corporate servers.

Ways to protect:  Firewalls, passwords, employee training, limited access and strong authorization processes in place. Protect data via encryption, and use automated solutions.

3. Employee info

What:  Data needed to hire, schedule, train, review and pay employees.

Where:  Back-office computers, network and corporate servers.

Ways to protect:  Secure in the same ways as loyalty programs and business-sensitive data, implementing strong authorization models and strictly limiting access.

4. Third party

What: Information a third party would hold regarding people’s personal data, including customer and employee information or sensitive operational data.

Where:  On third-party computers, networks, devices and servers.

Ways to protect:  Write contracts stipulating security requirements, ask for certifications, demand proof of security claims and use vendors with strong reputations for maintaining high security standards.

A version of this story appeared in the April issue of CSP magazine, FoodService Director’s sister publication.