by | 10 Nov 2015

Data minimization for eCommerce shops

With a high volume of personally identifiable information (PII) and payment card information changing hands with every transaction, the online retail industry is one of the most vulnerable targets of cyber-attacks. Recent data breaches at national retailers have shaken consumer confidence in the ability of many retailers to provide adequate security around the PII they collect. Learn how data minimization can help your eCommerce sites and how consumer preferences will shape future data collection practices.

What is Data Minimization ?

According to the EDPS (European Data Protection Supervisor), the principle of “data minimization” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it. Consumers are really divided on when to share personaly identifiable information:

Infography Data Minimization

Given the media attention on new data breaches, it is not surprising that data reveals consumers exhibit the least trust in the retail industry. In a Data Minimizartion report by Lexy entitled « Balancing Business Needs with Consumer Expectations », we can see that only 17% of consumers trust retailers with their PII for enrolling to open and maintain an account, compared with 60% of consumers who trust financial institutions and 50% who trust a health-care organization with their information in a similar scenario:

Data minimization for eCommerce shops

Personally identifiable information (PII) in the eCommerce industry

PII identification practices in the retail industry are driven by three distinct needs: fraud mitigation, marketing, and regulatory guidelines.

From a fraud mitigation perspective, retailers continue to struggle to contain the effect of fraud. With retail merchants paying $3.08 for each dollar of fraud loss they experienced in 2014 (up $0.29 on the dollar from 2013), they are acutely aware of the real costs associated with data breaches and fraud.

For businesses that accept credit card transactions, Payment Card Industry Digital Security Standards (PCI DSS) compliance becomes a critical issue for transforming data collection practices relating to credit and debit card information.  If you need more information on  it, I invite you to read this dedicated article « Payment information is the eCommerce hot potato ».

Maintaining compliance is an ongoing effort with indirect consequences for other types of PII, but even compliance does not necessarily ensure security.

Recommendations for Data Minimization

Retailers are asking for personal information that is not required. We recommend discontinuing this practice to avoid friction in eCommerce.

Reduce risks associated with data theft by streamlining the collection of PII where possible. Streamlining the data collection process, or limiting the collection of PII to only that which is necessary to establish identity, can reduce the risk to the organization and consumers in the event of a breach while also minimizing the burden on consumers when the PII is being collected.

As these actions do not necessarily ensure security, we advise you to continuously assess your website risks. OZON is a cybersecurity solution designed to help you to evaluate the risk level of your eCommerce site. No convinced? Try it for free!