Our headline today does not refer to those annoying ads that “pop-up” when you visit websites.  We’re talking about the hottest trend in seasonal retailing – the pop-up store.    These are the “here today, gone tomorrow” retail locations that you see during Halloween and Christmas seasons and are now everywhere capturing the back-to-school market.

These locations either open in empty storefronts or in kiosk space in public areas of malls or places like Grand Central Station in New York and sell smaller, often location-targeted selections of merchandise.   They are a good way for retailers to capture the “flash” shopper, to introduce new store openings, or to test and promote certain items or brands.   The business case certainly exists for retailers to extend their brands through the pop-up space strategy.

Pop-up stores also can be a data security nightmare.

Because pop-up stores are intended to be temporary, installations of technology infrastructure to support credit card sales is impractical and is often ignored.    Speed and simplicity are at the heart of the pop-up strategy.   A word of warning, however: cutting corners for rapid and low-cost deployment of pop-up stores is fraught with data security risks.   Even a single pop-up location can create data loss significant enough to negatively impact brand and cause a retailer to spend bottom line dollars on forensics, investigation and data breach notifications.   The sales impact of the pop-up locations can evaporate as quickly as the pop-up location itself in a data breach incident.

Here are three issues of concern for your pop-up:

  1. Networks – Will your pop-up store be operating on a local (and likely) public WiFi network?   Will your employees be communicating with the home base network through this public WiFi?    Check with your IT security team before enabling this activity.  Having employees operate securely on a separate network from the public network that customers use is critical.    Transmitting cardholder data over a public network is not only a violation of the PCI DSS standards (see #2), but also can constitute a breach of certain state data breach laws (see Massachusetts and Nevada).
  2. Point of Sale – Carefully consider your POS application for the pop-ups.  Your merchant agreement obligations to comply with Payment Card Industry Security Council (PCI DSS) standards do not stop just because you have opened up a pop-up store.  Every location is required to operate in a PCI DSS-compliant manner.  Also consider whether the interface between a pop-up POS transaction and your corporate network (including access to other applications, such as inventory management) should be locked down with a VPN connection.   If your POS fails, employees may be relegated to writing down credit card numbers.   Plan for this.
  3. Monitoring of Employees – Loss protection (both physical LP and data LP) is critical for pop-up stores.  Often, pop-ups are staffed by a single employee or two, even at the busiest times.  Some sort of surveillance should be installed at the pop-up site to monitor both employee and customer activity.

Lest you think that by now we are paranoid (but all data security professionals are, by nature, paranoid….), the Mintz Levin Privacy and Security team has worked with five companies in the last 6 months that have experienced significant data and loss incidents via the pop-up store.  We have seen employee misconduct, such as credit card skimming, malware insertions at the pop-up location that impact the POS, absence of surveillance leading to theft of credit card information and merchandise…in other words, it can — and does – happen.

The technology is out there to secure the pop-up store without losing the “temporary” concept and efficiencies of the pop-up and risks can be mitigated.   The pop-up is often the first customer impression of the overall retail brand.  Don’t let it leave a bad after-effect.    If something nasty hits the fan at your pop-up, at least you know who to call.