High profile recent examples of companies losing customers’ personal details, such as the hacking of the Sony Playstation Network which is estimated to have cost Sony £105 million, have illustrated the financial and reputational risks of such incidents.
In the latest UK example, Data Protection watchdog the ICO has again reminded retailers that they must make online security a high priority following an investigation into security breaches at cosmetic retailer Lush's website which exposed the payment details of 5,000 customers to potential access by hackers. The ICO’s warning makes it clear that online retailers must adhere to industry standards for protecting customer’s credit card details. Outsourcing payment to an external supplier is a potentially attractive means of achieving compliance, but does not relieve a retailer of its legal obligations.
Lush were required by the ICO to sign a formal undertaking to comply with the seventh Data Protection Principle (which requires organisations storing personal data to put in place appropriate security to prevent personal data being accidentally or deliberately compromised). The undertakings given by Lush included:-
- to store only the minimum amount of customer data required and keep it only as long as a relevant business need exists
Comment: A Data Protection Act requirement and also a vital practical security measure in this context. The best way of protecting customer payment details is not to store them unnecessarily. Retailers processing online payments will also be obliged by the Payment Card Industry Data Security Standard described further below) to restrict storage of payment details in this way and to never store card security codes after payment has been processed.
- to submit computer systems storing customer personal data to regular tests simulating malicious attacks; and to maintain system logs for appropriate time periods and check these regularly for evidence of malicious attack.
- to outsource payment processing to a PCI accredited supplier
Comment: The Payment Card Industry Data Security Standard (PCI DSS) is the technical and operational security standards approved by the payment card industry for merchants who store or process customer payment details. Failure to adhere to PCI DSS can result in fines by payment card issuers or termination of the merchant’s ability to process. The ICO has also made it clear that it considers that PCI DSS, or an equivalent standard “must be followed at all times” by online retailers.
Outsourcing payment processing to a provider who is PCI accredited is likely to be an attractive option for ensuring compliance for many online retailers. However, in legal terms it is important to remember that responsibility under the Data Protection Act for protecting customer data will remain with the retailer where they appoint a data processor to carry out payment processing on their behalf. The same point also applies in relation to the appointment of external consultants to perform security testing where they have access to customer data.
Retailers appointing external service providers and consultants who will process customer data should therefore always put in place a written contract in respect of the data processing and should take appropriate steps to monitor the supplier’s own security arrangements, such as vetting of staff.