Retail Sites, Personal Information and Data Security

With online sales surpassing US$100 billion last year and continuing to grow at double-digit rates, retailers are seeing greater profitability with their online operations. With this good fortune comes the added burden of protecting the personal data of customers.

As the list of regulations coming from federal and state agencies grows, companies are struggling with compliance. The importance of compliance with online standards to avoid litigation, brand erosion and negative publicity cannot be underestimated.

Protection from fraud and the misuse of confidential data are at the forefront everyone’s mind when it comes to shopping online. According to a recent InformationWeek survey, four out of five business and technology executives said that regulatory compliance is a distraction and that just tracking whether their organizations have met compliance goals is a big challenge.

So just how well are the top retailers doing in handling the personal information of online users?

Top Retail Sites

I scanned the top 10 retail sites in the U.S. for privacy and security compliance issues using Keynote’s WebIntegrity service.

This service scans a Web site for a number of things, including the existence of a privacy policy link on every page of the site, proper Platform for Privacy Preferences (P3P) implementation (for those sites that have adopted the P3P standard), the existence and content collected on secure and nonsecure forms on the site, and the existence and type of cookies on every page of the site.

The results I found might surprise you.

While I didn’t find any flagrant security problems with the most sensitive of user data — credit card numbers — I did find that, by varying degrees, even the largest retail sites in the country don’t protect all your personal information all the time.

Of the 10 major sites I tested, only one had no security holes when it came to collecting user data. Nine out of the 10 sites had one or more pages on their site where personal information such as a person’s name, mailing address and e-mail address were all collected without using data encryption.

When I say data encryption, I’m referring to the Secure Sockets Layer (SSL) protocol that is used on Web sites for scrambling data entered on a Web site. This prevents the data from being intercepted as it travels from your computer through the Internet and eventually to a database at the retailer’s data center.

To build trust with online shoppers and prevent anyone from stealing your personal information, almost all retail sites nowadays use SSL encryption as a default, especially when processing your credit card numbers during purchases. This can be verified by a lock icon appearing on your IE browser status bar.

Encryption Not the Norm

What I discovered during my research, however, is that SSL encryption is not the norm for all online scenarios where shoppers are entering personal data. Retail sites are letting their guard down when it comes to online forms such as creating an online account, using the gift registry and order tracking.

One site, for example, had over 20 nonsecure forms on their site that collected a shopper’s name, address, or e-mail address without using any sort of encryption. And the rest of the sites were almost as bad. The 10 retail sites I tested had an average of nine places where shoppers could enter personal information, and that information would be sent over the Internet without any encryption.

In some of the most egregious situations, retailers were collecting personal information from shoppers and also exposing this info to third-party cookies. This occurs when a third-party cookie — usually used for collected user demographics — exists on the same page as a non-secure form that collects personal information.

In fact, on one retail site, the cookie could have captured the shopper’s zip code. On another site, the shopper’s e-mail address could be passed to the cookie.

While these instances do not necessarily breach a retailer’s privacy policy with the shopper, they do raise questions with regard to shoppers’ expectations of privacy. I would expect that as shoppers become more savvy regarding shopping online, more than just credit card numbers will be considered sensitive data.

Retailers will need to stay ahead of these security and privacy concerns and start using secure forms when collecting any visitor data.

Getting into the Game

What do retailers need to do? They can start by monitoring their sites with tools, which can quickly uncover security and privacy problems related to the collection of visitor data.

The next step would be to work with their Web site development teams to establish new guidelines for forms and cookies on their sites. Thirdly, what their privacy policies are and how they can be adhered to must be communicated internally to all who touch the Web site. Lastly, retailers need to keep their online privacy policies updated and make sure they communicate the added security they offer to their customers.

Only by staying ahead of users’ expectations for privacy and security can retailers maintain the all-important element of trust with their shoppers and continue to see double-digit growth for their e-commerce initiatives.