Consumers consider retailers among the most likely companies to experience a data breach, and that perception will make it harder to persuade shoppers to opt in to share their personal data. Retailers need a fresh approach to protecting personally identifiable information.

Tim Horton, vice president of global security, First Data.

Tim Horton, vice president of global security, First Data

How ironic is it that the institutions consumers often dislike the most—banks and government—are also the ones they trust the most to safeguard their personal information?

And, paradoxically, businesses that consumers usethe most—gas stations, telecom companies, and food services—are the ones they trust the least to protect their essential data from the hands of thieves.

We know this through a study of 1,700 respondents conducted by First Data. Its purpose was to learn about attitudes surrounding protecting personally identifiable information, or PII.

Before launching new engagement tools, retailers need to be mindful of potential security vulnerabilities.

On the one hand the findings are understandable: Consumers trust institutions that are records-driven, but not those that offer consumer interaction, or are quick-swipe payment channels. To make matters worse, consumers figure that retailers, like restaurants and gas stations, are the most likely to experience a data breach.


If things don’t improve, the retail industry is headed toward a public trust disaster.

Simply put, if perceptions (and reality) get worse, retailers hit hard by data breaches will find it increasingly difficult to convince consumers that they’re on their side, looking out for them while they try to operate a successful business. The old adage that businesses need to be customer-driven will quickly become a meaningless mantra.

Consumers could be more leery about sharing data

The result? Retailers will have a hard time asking customers to share personal data.  They’ll encounter increasing resistance from requests to join a business’ “club,” ask for participation in a loyalty program, or get consumers to opt-in to initiatives that help businesses collect data that drives better decision making. Just when retailers are looking to leverage that data to build a sales promotion, connect with their valued customers, or recommended a next purchase, they could find it difficult to do so if that information is simply not available.

Despite bad perceptions, consumers do not appear to be constantly thinking about the security of their personal information. No matter what the age, about 25 percent of those surveyed think their data is safe unless they’re told about a breach. If a breach occurs, all customer segments feel betrayed, vulnerable and wary about doing business with a company that didn’t have PII protection top of mind.


Retail services must champion a fresh approach to instituting and communicating PII security standards while embracing the fundamentals:

  • Be security-minded –Before launching new engagement tools, retailers need to be mindful of potential security vulnerabilities. If your consumers are monitoring and leveraging such platforms, chances are financial criminals are as well.
  • Maintain communication – Today’s consumers are willing to forgive businesses that experience a breach—as long as they’re told about them on a timely basis and are kept informed.
  • Reinforce the basics– With communication becoming more important in the fight against information theft, retailers need to remind their customers of basic steps they can take to close or limit vulnerabilities.

Many retailers are doing the right thing

While many retailers are unprepared in this regard, many are doing the right thing by taking the necessary steps to prepare for the worst, including:

  • Implementing an end-to-end fraud monitoring solution that spans the entire commerce experience. Once a breach is identified, a business can then begin implementing its action plan.
  • Understanding the differences between payment data and personally identifiable information, and then reinforcing best practices for protecting that data.
  • Leveraging P2PE-certified solutions that secure data at rest as well as in transit, ensuring all data is both tokenized and encrypted.

In addition, make sure that you have a clear understanding of your organization’s cybersecurity risks, and are budgeting appropriately for the technology that can protect your business. Conduct an informed audit of cybersecurity activities in flight and assess the risk and monetary damage it can create. Also, budget for technology that leverages AI, machine learning, fraud scoring, and cybersecurity intelligence to fully secure the data you possess.

Follow these strategies and you’ll increase your protection against a breach. You’ll not only help preserve your customers’ personal data, but also elevate the stature of the retail industry as a whole in the eyes of the consumer.


First Data is a payment processor that serves 6 million businesses.