How to Protect Consumer Data from Cyberattacks

You know it's critical to safeguard your company's proprietary information from cyberattacks. But don't forget, as a requirement of the Payment Card Industry Data Security Standard (PCI DSS), you're also responsible for the payment information consumers share when they do business with you. If that data is compromised, you risk stiff fines, as well as losing existing and potential customers’ business who fear their data isn't safe.

Customers expect data security from businesses.

U.S. consumers know they must provide personal information when making purchases or other business transactions. But they are worried about cyberattacks in the U.S. (65%) and are skeptical about how well companies are protecting consumer data.1 In a recent poll, just 34% thought businesses are doing enough to secure their personal information.2 Such doubts can lead to sharp declines in customer loyalty.

How important is trust in a business relationship? A consumer trust survey revealed 80% of respondents would likely stop doing business with companies that have suffered cyber incidents.3

Strengthen customer data protection.

To protect your customers’ personal information from thieves, guard it as carefully as you do your own. These actions will help your business strengthen customer data protection.

1. Understand the types of consumer information you need to secure.

   Data privacy laws apply to four types of information that are considered “personal.”
   • Personal Information (PI)
     This data can relate to or describe an individual or household whether directly or indirectly.
   
   
   • Personally Identifiable information (PII)
     Is a standalone means to identify a person. However, it can be used with other data.
   
   
   • Sensitive Personal Information (SPI)
     Data that doesn’t directly identify an individual but can be harmful if revealed. Minors are also included in these protections.
   
   
   • Nonpublic Personal Information (NPI)
     Another type of sensitive data, NPI governs how financial institutions manage customer-provided or transactional information. It isn’t publicly available.
   
   Customer data security requirements are determined by the levels of risk. For example, a person’s name is considered “personal,” “personally identifiable” and “nonpublic” information. A credit card is designated only as “personally identifiable information.” Names should be protected but don’t carry the same level of risk as a credit card number if revealed.



2. Secure payment data.

   If your business accepts payments, you must secure customer data according to the PCI DSS – even if you use a third-party processor. What does that mean? There are 12 essential requirements for accessing and storing data, as well as documenting processes and testing security systems.
   
   Security methods typically include tokenization and encryption to prevent fraud. Encryption encodes or scrambles data so it can only be accessed with a key. Tokenization automatically converts sensitive data into a unique, random set of characters, called "tokens." If stolen, these tokens are useless to hackers.
   
   Strong passwords and multifactor authentication (MFA) are additional means to protect customer accounts. Strong passwords contain a lengthy combination of letters, numbers and special characters that are hard to guess. MFA identity verification includes software that generates an approval or code, security questions, or a short text or email with a link for response. Biometric authentication is an advanced technology that uses facial recognition, thumbprints, or some other personal characteristic for identification.
   
   Digital wallets must also meet PCI DSS conditions.

3. Establish a data protection policy.

   Create formal guidelines for the types of customer data your company collects and the methods you use to gather and store the data. Be sure your policy is consistent across every type of device, application, business function and geographic location where data is collected.

4. Limit access to customer data and train your employees.

   To reduce risk and further strengthen data security, limit access to only employees who need it. However, employees sometimes unintentionally share information. So, you should regularly train all employees on the policies and procedures you’ve established to protect customer data. In fact, IBM lists employee training among the most important factors in reducing the impact of data breaches.4

5. Clearly communicate with customers how you will use or share their data.

   Consumers are willing to share personal data but want more control of how it is used. Almost 80% frequently think about requiring companies to get permission to collect and share their data.5
   
   Keeping customers in the dark about data-sharing practices leaves you open to backlash and public scandal if the data is ever misused. Transparency is always the best course, along with ensuring that the parties with whom you share your customers' data have strong protocols in place to protect it. In fact, 64% of consumers said companies that clearly communicate their privacy policies earn their trust.6
   

6. Keep abreast of industry regulations.

   The PCI regularly assesses and updates guidelines on how to manage payment data. It also provides a dedicated resource center for merchant services, including FAQs, a glossary of terms, and videos on protecting your business from scams.
   
   The Federal Trade Commission’s (FTC) Bureau of Consumer Protection oversees privacy laws. The agency’s goal is to provide a fair marketplace which includes defending U.S. consumers against exploitive practices, such as deception and fraud. The FTC conducts investigations, collects reports and has the authority to sue individuals and companies that break related laws. The agency also advises businesses and consumers of their rights and responsibilities. So, be sure you understand your role in maintaining consumer data privacy.

Taking steps to keep your customers’ data safe lets them know they can trust you. This assurance will keep them coming back to your business.

Personal data protection is an enormous responsibility. We can help. To learn how, complete a short form and a Synovus Treasury & Payment Solutions Consultant will contact you with more details. You can also call 1-888-SYNOVUS (1-888-796-6887) or stop by one of our local branches.