Secure Your Customer Data: Here’s How

A computer programmer visited Guess.com last year to look for jeans. Before entering his order, he keyed into the site’s address bar a string of characters, and up popped about 200,000 of Guess.com’s customer names and credit card numbers.

His selection of characters wasn’t random. Rather, the code he keyed in is well-known among programmers, and plugging it in is called an SQL (Structured Query Language) injection attack.

In June, Guess.com settled for an undisclosed sum with the Federal Trade Commission (FTC) on charges that it misled consumers by stating in its privacy policy that it protected consumer data when, in fact, it didn’t.

To determine if your site is vulnerable to an SQL attack, Stephen Cobb, senior vice president for research and education at ePrivacy Group, a privacy technology and consulting firm, suggests the following steps:

1. Get your Web systems checked by a security expert familiar with SQL and other common online vulnerabilities. “Talk with the people who set up your e-commerce site and determine if they’re aware of this and similar vulnerabilities. Have they checked for them specifically?” Cobb asks.

Based on their responses, you may feel secure about your site, or you may decide to hire an outside expert to do a security audit of your site. “This may be especially important if you’ve had, say, a neighbor who took a few Web courses design your site,” says Cobb.

The cost for such audits varies depending on the size of your e-commerce operation. Generally you can expect to pay $1,000 to $2,500 per day, says Cobb. An audit may take one to 10 days. But that still may be cheaper than getting hit with a fine from the FTC. When selecting an auditor, look for a CISSP, which stands for Certified Information Systems Security Professional.

2. Be a detective. Your site’s order pages should be encrypted with the Secure Sockets Layer (look for the padlock symbol), a generic encryption technology that uses digital certificates, says Cobb. You can own the technology and apply it to your e-commerce site, use a service for it (e.g., Digital River), or your ISP can apply it to your site.

3. Follow the data. “When someone submits data to you, does it go to an unencrypted Web server and then into a clear-text database? If so, that’s dangerous,” Cobb notes. “Hackers may find the database and tap into it.” According to Cobb, hackers can log on to Google, type in “MasterCard,” a four-digit prefix and a generic expiration date such as 04/04, and up will come text files filled with a retail site’s customer credit card information.

“Make sure your data is being transferred to a secure and encrypted server,” Cobb advises. “If not, the chances of someone finding it online and stealing it are pretty high.”

You can’t duck in under the regulatory radar screen simply by telling customers in your privacy statement that you don’t really protect consumer data. That’s just bad business, of course. But if you say you’re protecting it and don’t, it becomes a deceptive business practice, and the FTC will come calling. “It only takes one legitimate consumer complaint to the FTC to bring the 500-pound gorilla onto your case,” says Cobb.

Consumers want increased privacy and security, and legislators are looking at regulatory agencies such as the FTC to do the job. The FTC, in turn, is sending a message to all businesses that it’s policing the data-security issue in the name of consumer protection.

You can reach Stephen Cobb, CISSP, of the ePrivacy Group at (212) 655-9392, scobb@eprivacygroup.com. The FTC offers guidelines for businesses on this topic. Visit: www.ftc.gov.