December 8, 2020

Online Shopping and Companies’ Data Protection Responsibilities on the Rise This Holiday Season


The holiday shopping season is predicted to look much different this year. Many began shopping as early as the beginning of November. Less than half plan to spend the same amount as they did in 2019, with a third planning to spend less or nothing at all. But a definite trend this year is the overwhelming preference for online shopping, curbside pickup, and contactless payment. It is already a heavy lift for companies to prepare products and services to sell during the biggest revenue days and weeks—it’s equally vital to prepare each company’s processes and technologies to protect consumers’ personal data.

With COVID-19 ramping up again, online selling may become even more preferable during the 2020 holiday season. Not only will your company need to prepare to scale to achieve revenue goals, your preparations for protecting privacy data and managing Payment Card Industry Data Security Standard (PCI DSS) requirements will increase, as well.

Higher Online Shopping Volumes Mean More Data to Protect

Although your store always needs to manage physical safety to protect shoppers from injury, this year, managing customer avoidance of exposure to the coronavirus brings additional management burdens with temporary employees, store capacity limitations, and new checkout processes to protect both employees and customers. Unfamiliar processes may end up generating more PCI DSS process failure and, in turn, more personal data exposure.

The ever-increasing number of online shoppers can usher in great revenue opportunities, but system exposures and data input acceleration can quickly outstrip your company’s monitoring capabilities, leaving large amounts of customers’ personal data vulnerable to attacks.

Having looked forward and anticipated the large influx of customers and transactions, your company by now has likely put a freeze on codes, security changes, and updates. While this is prudent to provide customers with as much uptime as possible, it also means your company may have difficulty responding to sudden new data exposures requiring new data policies or practices if there is any suspicious activity.

Finally, many businesses have established relationships with strategic and/or short-term third parties as vendors and logistics partners to help meet holiday demands. This means your sharing of data is going to compound rapidly. Data that normally doesn’t need to be shared outside your company will leave to be managed by other entities. This increases your risk of properly handling transactions from a PCI DSS perspective and exposes far more personal data to privacy lapses.

Establishing solid data policies must be part of your preparation plan. You’re also going to need the right software tools in place to effectively protect financial and personal data your company collects, stores, and processes.

Who is Impacted by PCI DSS?

PCI DSS is a set of industry-mandated security requirements for processing credit and debit card transactions. PCI DSS requirements apply to stores, online retailers, and any organizations accepting these forms of payment and cover a broad range of data protection, access control, and security topics. Compliance is not mandated by United States federal law, but there are typically state laws requiring that payment processors comply with security standards that refer to PCI DSS and similar standards.

If your company falls into any of these categories, you’re required to maintain the standards and agreed-upon security processes. Your company’s PCI DSS steps for compliance validation depend on your business size, how many transactions you’re running, and which payment brands you as a merchant or service provider have agreements with. Failure to comply also varies in cost, yet is invariably a huge hit on your brand’s equity.

On top of that, attackers targeting personal and financial data of your shoppers are becoming ever more sophisticated and sneakier. Third-party risks are becoming more frequent and need to be guarded against. Because employees at retailers, banks, payment processors, and other organizations are constantly extracting sensitive, personally identifiable information and saving it into files on desktops, laptops, and file servers to complete other assigned duties, financial data—including credit card numbers—may exist outside a company’s protected data stores and be vulnerable to theft.

Your company has to secure personal financial data in any format—structured, unstructured, or semi-structured—to minimize any damages inflicted by thieving intruders.

The Challenge of Compounding Compliance Requirements

Along with PCI DSS, additional new data privacy regulations have been implemented in California, the US, and across the globe. The combination of the General Data Privacy Act (GDPR) and the California Consumer Protection Act (CCPA), for instance, bring tremendous regulatory requirements on companies handling personal data across the US and Europe.

The number of regulations domestically and internationally is growing, and the penalties for noncompliance are steep. Not to mention, the damage to your company’s reputation and loss of otherwise loyal customers due to breaches that leak private, personal data are potentially immeasurable and irrecoverable. COVID-19 or not, holiday shopping or not, your company is responsible for protecting every individual’s data according to the rights laid out in each regulation.

Is your company ready to protect personal data or face the consequences?

Full-Coverage Data Protection with PKWARE

It’s easier than you think to protect data with both preemptive capabilities and post-data collection opportunities for data security. Our solutions work to protect your data by:

  • Discovering data assets
  • Identifying sensitive and personal data
  • Enforcing protection policies in real time
  • Identifying information and compliance obligation
  • Masking, redacting, and encrypting data
  • Tracking cross-border transfers
  • Solving for ITAR compliance

While protection is running, all the functional responsibilities of different departments processing the credit card and debit card payments remain unchanged. Your business experiences no disruption or slowdown of business, especially during the busy holiday season.

Get ready now for the holiday shopping season and beyond. Talk to a data security expert to get started with free data discovery capabilities so you can better protect your most valuable—and vulnerable—data. Get started here.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024