Keeping Credit Card Numbers Well-Cloaked: Q&A With Fingerhut’s Mark Lieberg

It’s a fact that might not bring a lot of comfort to consumers and businesses, but it’s true: The methods for protecting e-commerce transactions haven’t changed a great deal since online shopping became a viable option in the early ’90s. SSL (Secure Sockets Layer) and TSL (Transport Layer Security) encryption are the protocols that slap on that little padlock you see at the bottom of a Web site once you’ve begun the purchase process.

“The SSL is still used today because it largely is pretty effective,” said Mark Lieberg, information security manager, CISSP, for 60-year-old catalog company/direct retailer Fingerhut. “What’s coming into focus more sharply is, what do we do with the data after we have it? How do we secure that data and protect it from further security risk?”

While a wider variety of methods are available to protect data within a company, the chances of losing that data due to accidents or criminal activity have risen with the growth of e-commerce: a box of data tapes falling off a truck; a laptop with sensitive information lost or stolen.

However, Fingerhut — which ticketed US$500 million in revenue in 2008 — has committed to a relatively new security method that helps lock down data like credit card numbers: tokenization, an encryption technology that cuts down on the number of outside eyes having access to sensitive personal data.

As the PCI (Payment Card Industry) Security Standards Council begins to look for more stringent security methods and demand compliance from participating corporations, Lieberg believes that tokenization may give e-commerce companies the best chance yet to manage security compliance in the most cost-effective way.

E-Commerce Times: What is tokenization, and how do you implement it?

Mark Lieberg:

If you were a customer and came to Fingerhut’s Web site and said, “I’m going to make this purchase,” you would input your credit card number. That number would end up in what we’re calling our “vault,” a secure area of our network, and that nuBridges product would take that 16-digit credit card number, store it, encrypt it and return a “token” — a sixteen digit number that represents raw data — and return that numeric value to the order-processing application. That number is not numerically related to the raw data in any way. From a security risk point of view, it’s inert. If I dropped that number on the street, nobody would deduce your credit card number from those values.

Now that order-processing application has a sixteen-digit number it can use to talk to other applications — or even for internal analysis. Your token is unique. The card-holder information is securely and more easily manageable in our vault.

E-Commerce Times: What prompted the move to tokenization?


We decided for 2009 to formulate a project around PCI companies, because it’s very prescriptive and gives you a lot of guidance on what to do and what not to do. Because of controls that need to be built out for PCI, we would create a secure environment for the data that PCI cares about. For us — PCI being the mandate and being the most costly challenge for most companies — the best and most cost-effective approach is to shrink the card-holder environment to as few systems as you can, so tokenization is the most powerful way to execute on that. There’s a tremendous economy of scale there for all our downstream systems. If we tokenize at the point of capture of that data, all our downstream systems have the benefit of containing no credit card information, so it’s risk-inert from a PCI standpoint.

E-Commerce Times: Can tokenization be used for all kinds of customer data on the Web?


Not really. The biggest impact is how to protect the data once you receive it on the back end. E-commerce sites are different, but all are cut from the same cloth: They take credit card data from the customer and make some money. The game-changing capability of tokenization is around compliance and protecting customer data. It’s not a panacea for all kinds of data. It works very well for numeric data. As we proceed to change the ways we protect customer information, we’ll probably have a blended solution of encryption and tokenization. Fingerhut really needed a product that we could bring in-house and make part of our data privacy initiative.

E-Commerce Times: Is tokenization being widely accepted by e-commerce companies? Any statistics or quantification?


I don’t have a good feel for who’s adopting. I know of only one other company that has done it, and it’s a quite different company than what we do. Tokenization as a concept is relatively new, at least to me, and as I talk to my peers out there, almost universally when I explain the concept that all say, “Wow, that’s really smart.” It’s a great way to get a handle on private data that typically ends up in all the nooks and crannies of a company. We get in front of the stuff and tokenize it. We don’t care if Bob in finance has a spreadsheet with the token. It’s not really the customer’s number.

E-Commerce Times: Whether it’s tokenization or encryption, isn’t a security method only as good as the people who install and maintain it?


I’d say that’s absolutely true. Security is only as good as the people, and until we all have robot bodies, then maybe that won’t be true anymore (laughs). Beyond that, it’s really about reducing the number of eyes that can get at the raw data. We’ll now have our vault area, which will have many security controls that we wouldn’t have on our general production environments, including some strict requirements for authenticating that environment, strict log management to allow for who’s coming and going into the vault — all that kind of stuff you would expect. None of them are generally new, but they are very intensively maintained, and then there’s a whole host of process controls, and the people who have access to that environment will simply be very, very few. It’s a paradigm shift for IT and for the company in how we manage the data.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

Would you like to see more businesses accept cryptocurrency payments?
Loading ... Loading ...

E-Commerce Times Channels

Digital Clienteling Platform Breathes Life Into Live Commerce

The marketing technique called clienteling is used by retail workers to establish long-term relationships with key customers. When applied to e-commerce, the practice is based on having access to data about their preferences, behaviors, and purchases.

A relatively new variation of this concept is digital clienteling. It follows many of the established marketing strategies but uses digital channels to engage customers outside the physical store.

In any form, clienteling is not a replacement term for customer service. The latter is a generalized term for all customer-associated experiences. Clienteling, on the other hand, is a smaller subsection of customer service that is entirely about building customer relationships.

Live commerce platform Immerss brings new digital foot traffic as an add-on website sales channel.

Immerss smartphone integration

Personal Touch Tool

Clienteling adds a layer of personal touch to the shopping experience that is missing on traditional CRM systems. The Immerss platform allows businesses to keep track of client purchases. This, in turn, gives in-store associates — who might be working from remote locations — the ability to identify the most loyal customers as well as their preferences to provide a more targeted service.

Immerss changed its marketing services offerings to develop a unique platform that connects its clienteling capabilities to retail clients’ CRM software.

Two years ago, Arthur Veytsman, CEO of Immerss, decided to pivot toward “productization” of his video commerce services, as he calls it. He developed a live commerce platform that changed how e-commerce sites serve their customers. It enables online merchants to sell online in real-time, dramatically speeding up a process that until now has mostly been done in person or offline.

“Tools like FaceTime, Zoom, and SMS messaging are all connection tools. They create collaboration. They create a connection between the two people. Facilitation of that is not easy. Our software is completely embedded with the client’s back end and platform, which allows us to be there when the conversation starts,” he told the E-Commerce Times.

Aha Moment

Early in the start of his quest for a new approach, Veytsman had a luncheon meeting with the president of Lucchese, a 138-year-old custom bootmaker based in Texas. The retailer was looking into potentially using live commerce as an option to work with online influencers.

In the course of their conversation, the president of the company bemoaned his dissatisfaction with the results of traditional CRM chat features. He saw a gap in how his salespeople performed in the direct-to-consumer store. On the sales floor, he explained, they do well when talking to clients and know how to meet their needs.

The Lucchese website never gave his sales staff the ability to speak to clients in the same manner. The chat channel was just meant to be a customer service arm. What the company needed was a way to connect clients with trained salespeople.

That scenario, noted Veytsman, described the typical journey of manufacturers or wholesalers forced to go online but were not naturally fit to be online. Lucchese’s predicament became Veytsman’s defining moment.

“That was really the aha moment for me to see a missing component in the whole retail e-commerce industry. And that is where we kind of went to the whiteboard to solve this problem,” he said.

Lucchese’s president signed up with Immerss in July 2019. The new software went live in 2020.

“Now the Lucchese website has a live sales arm. It entirely changed the way they do business,” said the Immerss CEO.

Impressive CX Results

The integrated platform took Lucchese through the pandemic. It enabled the company’s sales staff to work from home, so no one had to be laid off, according to Veytsman.

Post-pandemic retail at the custom-made boot store picked up even further. The company created a digital showroom because the number of inquiries coming through the sales portal was so high.

“Lucchese allocated five salespeople that do nothing but service sales calls. It’s been an amazing case study for us and for them an amazing story. We’ve kind of proven that this concept works. If you enable customers to connect with live trained sales associates, the magic happens,” said Veytsman.

Under the Proprietary Platform’s Hood

A panel of products enables the sales associate to see what the customer recently viewed. The salesperson can suggest an item directly in that window back to the client.

Together they can walk it all the way to checkout. It is a very embedded experience during the call. The rep can pause the call, add that person to the contact list, and then start sending messages with product lists and the links to reconnect whenever the client is ready.

“So, it is a full clienteling app versus discombobulated ways of connecting to people together. It is all under one platform. That is the beauty of it.,” Veytsman offered.

The Immerss platform brings a fully integrated solution connected with the retailer’s back-end software and CRM. The platform works via desktop, mobile devices (both iOS and Android apps), and web browsers.

Immerss is also integrated into the Shopify app. Veytsman’s roadmap is to do similar integrations with other SaaS platforms, e-commerce platforms like Salesforce commerce, WooCommerce, BigCommerce, Magento, and more.

How It Works

Immerss is completely hands-off in terms of consumer visibility. The retailer gets a website or app presence that is uniquely branded and fully automated. The Immerss platform’s integration remains hidden to shoppers.

“We connect their back end with our back end automatically. We enable them to customize their visual experiences so it feels and looks like their own software. So are the colors, the fonts, and everything else. When a client comes to their website, they see is a sharp live widget,” noted Veytsman.” It looks and feels like it is a part of that website.”

On the retailer and manufacturer’s end, they get a back-office management panel. That is where they can define sales associates. There also they can see dashboard analytics on sales and performance ROI.

Immerss tracks sales activity and then reports that back to the brands so they can enable their sales force to embrace this tool. It gives them the ability to sell outside of the physical box.

Sales staff highly depend on that traffic coming into their store. That is the only way for them to make commissions, explained Veytsman.

In addition, Immerss is a tool for sales staff to sell worldwide with no limitation. It brings in traffic from the website as an add-on sales channel.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

Malicious Bot Attacks Continue To Cost Retailers Big Bucks

Bot detection and mitigation firm Netacea on August 11 announced its research reveals that businesses are paying a high price because of the expanding use of malicious bot traffic deployed against them.

Automated bots operated by malicious actors are costing businesses an average of 3.6 percent of their annual revenue. For the 25 percent worst affected businesses, this equates to at least US$250 million every year.

A key warning sign for retail sector businesses shifting much of their customer-facing activities online since the pandemic is that mobile apps are under attack more than websites. Retailers have been online for quite some time now and have followed their customers to mobile channels.

These businesses may have a long history of dealing with bot attacks on their websites. But the expanded exposure through mobile apps makes them a more attractive attack vector.

Even more concerning is the time it takes to discover these attacks. On average, more than 14 weeks pass between a successful attack and its detection. This makes it difficult to limit the damage done to a business’s customer satisfaction, reputation, and bottom line.

Research Methodology

Researchers surveyed 440 businesses across the travel, entertainment, e-commerce, financial services, and telecom sectors in the United States and the UK.

They found that every sector had a substantial bot problem, with two-thirds of businesses detecting website attacks.

Almost half (46 percent) of respondents reported mobile apps had been attacked. Nearly one-quarter (23 percent) — mostly in the financial services — said bots had attacked their application programming interface or APIs.

“Last year, a particularly tough one for legitimate businesses already operating with razor-thin margins thanks to an economic slump, was a bumper year for those who use bots to leech off of those businesses — especially from bad actors who looked to take advantage of a significant shift to online working and retail,” said Andy Still, Netacea’s CTO.

Ubiquitous Bots

Businesses are affected by all types of bots. The report — titled “The Bot Management Review: What are bots costing your business?” — revealed the prominence of one main type of malicious bot. Scalper bots automate the purchase of inventory such as game consoles and other limited availability goods. These bots work faster than is possible for any legitimate user.

Other mainstream attack bots include the account checker bot, which uses stolen usernames and passwords to take over accounts. Account checker bots take advantage of data breaches and leaked passwords to compromise customer accounts.

Also noteworthy are the sniper bot and the scraper bot.

The most common example of sniper bot utilization is last-second bidding on auction items on sites like eBay.

Scraper bots automate the collection of large volumes of data from web pages and apps, such as product descriptions, pricing, inventory levels, and other public-facing information. That data is then used by nefarious actors to undercut deals, divert visitors or steal clicks.

Big Impact on CX

Over 80 percent of businesses reported that customer satisfaction had been negatively affected by bot activity. In particular, scalper and sniper bots were behind much of this customer dissatisfaction.

Typical businesses are not equipped to fend off these growing bot attacks which are more than minor nuisances. Malicious bots are taking a big bite from retailers’ bottom lines.

Few business security budgets are dedicated to bot mitigation, though for larger firms it is a little higher, at up to 20 percent, according to Netacea.

“While there is a greater awareness of the threat than in previous years, only five percent of security budgets is being used to target the problem. Businesses need to realize that bots are not a mere nuisance, but a genuine security threat, especially when a business is already struggling because of other factors,” observed Still.

Netacea’s previous research around the Genesis Market, an underground marketplace for stolen credentials, shows how sophisticated the industry is becoming.

Those operating bots do so at a professional level, with consultants, help desks, and highly specialized infrastructure providers accessible through covert forums, making bots widely available, according to Still.

Retailers’ Plight

For retailers, the bot assaults let the bad guys rig the buying and selling game. Looking at just one online marketplace like Amazon shows how bot attacks can hurt sellers.

It looks like a retail arbitrage (RA) game on steroids. If RAs can quickly purchase items on Amazon Deals or deep coupon discounts, then they can resell them for a profit, according to Jason Boyce, CEO and founder of Avenue7Media.

“In my opinion, it is not a long-term branding strategy, so I would never recommend it to anyone. Amazon’s system is fairly sophisticated about identifying scrapers to its website, but at the end of the day, it is a difficult challenge for them to completely block this activity,” he told the E-Commerce Times.

After all, they need shoppers to be able to easily search their website and buy from it. Limiting access to bots could harm their sales. They have to walk the tightrope here, he added.

Losing the Fight

Bots have been a part of internet life since the days of IRC (internet relay chat) and have impacted everyone who uses the internet, observed Bruce Snell, vice president of security strategy and transformation at NTT. People love those challenges to click each picture that has a boat in it to log into a website, he quipped.

“You can thank bots for that. Most of the time, bots are just annoyances, grabbing all the good seats when concert tickets go on sale or buying out all of a new sneaker release,” he told The E-Commerce Times. “However, bots are also used for a malicious activity like trying to log in to banking sites using leaked user credentials found in a data breach.”

Snell’s personal email address was in a recent data breach. For the past couple of weeks, he has been getting five or six emails a day from Instagram with a link to reset his password because a bot is trying to log in as him.

“Multifactor authentication can go a long way towards keeping bots from successfully compromising someone’s account, but at the end of the day, most bots look like regular traffic and can be difficult to identify by standard security tools,” he said.

Unfortunately, he does not see an end in sight because ultimately bots end up being a numbers game. A cybercriminal can use a bot to try logging into 500 different sites with stolen credentials. While many sites have fraud and spam detection measures in place, there are enough out there without protection that it makes a low-effort tool like a bot worthwhile to the bad guys, he explained.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybercrime