Helping retailers wipe ID data issue

When data breach investigator Bryan Sartin gets a call to check into an incident involving customer records loss at a retailer, he knows that the situation most likely involves information that has been lifted from a company's point-of-sale systems.

Just as the now famous attack on discount clothing chain TJX Stores revolved around the interception of data transmitted wirelessly from the company's registers to its databases, almost every call that Sartin receives from a retailer can be traced back to some issue related to point-of-sale information collection, he said.

The data theft gumshoe -- whose official title is managing principal in the Investigative Response unit at managed security services provider Cybertrust, which was purchased by Verizon Business in May 2007 -- contends that if companies did a better job of defending their point-of-sale tools, most could dramatically lower their risk of a breach.

"As a rule, companies are doing a better job of protecting against external IT systems intrusions, but if you look into most of these consumer breaches at retailers the point-of-sale technology is typically the common denominator," Sartin said. "Many retailers list the types of systems they use on their Web sites, so the smart criminals look for companies using systems they already know how to beat and simply try to find a way in."

If retailers could merely stop collecting as much data at their registers, it would seem, the companies would significantly improve their ability to protect against such attacks, but the issue isn't that simple.

In order to protect themselves against fraud on the part of customers -- primarily in the form of inappropriate returns -- the companies are forced to store some form of identification data, typically a credit card number -- to prevent the need to write off even more losses to crime.

Among the databases of information scooped from TJX were some that carried such returns information.

As a result, retail companies find themselves in a tricky situation where they are being forced to consider alternatives that allow them to reduce the level of customer data collected at the point-of-sale, while retaining enough information to protect against fraud.

Flashback to the early 1990s, and video game console maker Nintendo was dealing with a challenging business problem. The Kyoto, Japan-based electronics company was selling millions of its NES video game consoles, but it was also being routinely fleeced by customers via fraudulent returns.

Typically such transactions would involve people who would buy new gaming systems, place older, broken consoles in the new box, and then simply return the devices for a full refund.

The company was losing large amounts of money and dealing with retailers who were shipping back scads of the worn-out machines, and attempts to implement manual guidelines, such as collecting more detailed data about customers, failed to deliver results.

Faced with mounting costs, the company decided to employ a technological strategy for warding off fraudulent activity. By capturing the information on each box carrying each one of its consoles and creating an electronic receipt based on its UPC code and serial number at the point-of-sale, the firm discovered, it could build a database of pertinent information that would allow it to track sales without retaining customer data.