Buyer's Guide to Retail: Retail data security

The retail market is typified by having a convoluted value chain.

The retail market is typified by having a convoluted value chain. A manufacturer creates a product that is shipped to a warehouse where it is then distributed to a shop where a consumer buys it.

Behind the manufacturer, there will also be a raft of suppliers - for example, for a biscuit manufacturer, there will be suppliers of sugar, flour, fats, flavourings and so on that all need to be provided as input feeds.

The problem with such extended value chains is the increasing amount of data that flows up and down the chain. Details including means of payment, customer names and so on may be included across a highly decentralised and complex chain - and yet little is being done to manage the data in a manner that assures confidentiality and compliance with presiding laws.

Where is all the data coming from - and how can it be dealt with in a manner that maintains security across the complete chain, while enabling each part of the chain to carry out its part of the process in an efficient and effective manner?

There is a selection of sources of data along the chain. From the main supplier's existing systems, right through to areas such as loyalty cards, reams of data are being created. In some cases, these can be isolated and managed in a contained manner; but increasingly, the need for data to flow up and down the chain means that openness is required.

For the most effective - and therefore margin-generating - supply chain, the data has to be managed in a cohesive and coherent manner, while still maintaining information fidelity, consistency and security.

For example, the original supplier creates a mass-consumer food product. Although this supplier does not need to know any details about the end consumer, it does need to know about the warehouse/distribution centre and the retail outlet. It may also need to send out information on the contents of the foodstuff to a labelling or container supplier in order to ensure that all labelling meets legal requirements. All this data is pretty much basic stuff, and its security needs are low.

Master data management

Now, let's consider a different product. The consumer wants to have a high-value product - such as a television - in a particular type that isn't in stock at the shop. The shop doesn't want to have to deliver it to the customer - far better to have it delivered straight from the manufacturer. Therefore, customer data has to be passed all the way down the chain, and then parts of it will need to be passed back up through logistics in order for the television to be delivered.

The main starting point to managing data along a value chain is to use master data management. By defining items and people as master records, certain types of information can then be associated with the master record without an external being able to tie the two items together directly. For example, if the customer "John Doe" is tied with a master record identifier of 123456789 in one data base, then attaching a credit card of 1234 5678 9012 3456 in an external database with master record 123456789 makes it far more difficult for the two items to be pulled together by an external party.

Likewise, the customer's address can be attached to the same record ID from a different database, as can their previous sales history, any communications between them and the company and so on. In this manner, information can be passed up and down a chain with only those with the correct credentials being able to access the information they need. The television manufacturer gets all the details needed to ship the television to the right person, as does the logistics company. Neither sees the payment details or anything else about the customer, but the retailer knows when the television has been delivered.

To further enhance data management and security, minimising data volumes through deduplication, the use of data tagging alongside effective partitioning can make it easier to identify what information an external should be able to access. Encryption makes sure that any data that is intercepted is still secure, while data leak prevention makes sure that any data that should never leave the network under your control stays within the boundaries.

Pulling it altogether, there will be items in the chain that are both data producers and consumers - the people, the items and the applications involved. With a managed data environment, access to the data can be managed through physical tokens such as RSA's SecurID, biometric systems such as fingerprint or iris recognition, or (as at least a basic security mechanism) a challenge and response system (bearing in mind that shared passwords make any audit trail invalid).


Audit is a necessity - with a complex value chain, the non-delivery of an item has to be easily traced as to where it all went wrong so that everything can be rectified as soon as possible. Part of this can be provided through the use of GPS systems in the logistics parts of the chain - data from which can also be used to optimise the logistics function through the use of isochrones to manage delivery points within a certain time limit, optimised delivery routes.

Security along a retail value chain should not be a major issue - it just requires some up-front thought and a degree of co-operation between the parties involved. The value of effective data management should both speed up the value chain and increase margins for all involved - surely a win-win all round.

Read more on Antivirus, firewall and IDS products