MSPs Beware: PII Needs Protection Too

retail shopSo, all your retail and hospitality clients are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Or at least, they’re actively working (ideally, with you) to become that way. Pat yourself on the back—but don’t do it too hard unless you’re also helping your clientele grapple with another piece of the data security puzzle—the one that revolves around personally identifiable information (PII).

As its name implies, PII is personally identifiable—an individual’s name, combined with a Social Security number, driver’s license, state-issued identification card number, and/or any account number (credit, debit, membership, etc.) and accompanying security code, PIN or password. Even as they leverage PII for the purposes of customer engagement, many merchant customers that rely on your MSP organization for assistance with navigating PCI DSS waters have yet to take aim at safeguarding the PII in their POS or other systems. Why not? For a large number, the rationale is simply this: “PII isn’t subject to PCI DSS. So, why should we bother?”

The more appropriate response here would be, “Why shouldn’t we pay attention to PII?” State governments clearly think safeguarding PII is a good idea. Only Alabama, New Mexico and South Dakota don’t have laws in place under which private businesses (and government entities, too) must notify any individual or entity about any security breaches involving their PII; 47 states, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have implemented such legislation.

Paying Dearly For PII Breaches

The need to inform consumers of a PII breach brings with it a hefty bill for notification and claim processing expenses, and the financial consequences don’t end there. Some merchants choose to offer credit monitoring services to all consumers affected by the incident (typically, to decrease the chance that affected consumers will file civil suits charging that their PII could be used to commit identity theft). Add to that cost to determine the cause of the breach and any steps to remediate it.

Other losses transcend financial ones. Customers of retail stores, restaurants and lodging establishments aren’t going to be too happy about PII breaches—and may take their business elsewhere when they occur. Nearly one-quarter (23 percent) of individuals surveyed by consulting firm Deloitte said they would be “less likely” to patronize a company after their PII had been exposed in a data breach. Another 15 percent claimed they would be “a lot less likely” to do so.

MSPs can assist merchants in shoring up PII security by implementing solutions that allow PII to be encrypted in the same manner as payment data. Pay particular attention to ensuring protection for Big Data and Big Data analytics, which many retail and hospitality players are beginning to harness in a move to engage more closely with individual customers, in turn making their competitive teeth ever sharper. Data replication across multiple nodes and the need for multiple users with different analytic requirements to get their hands on multiple nodes of data from a single repository can be challenging. A combination of tokenization and encryption technologies is a key weapon in overcoming that challenge.

Donning your “trusted advisor” hat, you might also urge retail and hospitality players to give their employees a crash course in what PII is, what type of data falls under the PII umbrella, and why it’s important to handle PII with care (for example, closing computers instead of leaving PII out for everyone to see). Advocate due diligence with marketing programs that involve PII—for example, let clients know that should they hire a third-party agency to handle such tasks as managing a loyalty program, they must find out how the company in question protects and safeguards its PII and actively monitors its data security practices.

You may even offer to assess clients’ systems for weak points and use analytics to detect patterns of behavior that may indicate compromise.

Make no mistake…PCI compliance is of utmost importance. But the safety of PII cannot go neglected. Smart MSPs are aware of this and utilize their knowledge for the good of their merchant customers and their own business.


Julie PhotoAbout the Author: Ritzer Ross has been covering technology and its application in multiple verticals for more than 25 years. Her work has appeared in a variety of vertically focused publications, including TRANSACTION TRENDS, HOSPITALITY TECHNOLOGY, CONSUMER GOODS TECHNOLOGY, INTEGRATED SOLUTIONS, INTEGRATED SOLUTIONS FOR RETAILERS, GOVERNMENT TECHNOLOGY, RIS NEWS, and, until recently, the now-defunct VERTICAL SYSTEMS RESELLER (formerly RETAIL SYSTEMS RESELLER).