White NRA Horizontal logo


The Digital Business Kit for Retailers

Learning Outcomes

Retailers will gain an understanding of the different online Security and privacy risks and opportunities to address these. [printfriendly]

mod-arrow Data Collection

Data collection such as e-commerce and registrations

Retailers that are engaging in online sales (e-commerce) or collecting customer data in registrations forms have unique security and privacy considerations. Retailers may be using proprietary solutions or using a 3rd party program to collect and process this information. If a retailer collects this information, they are responsible for its security, whether hosted locally or in a 3rd party provider’s system.

What are some examples of data collection?

  • “Contact us” forms
  • Tentative registration forms that ask for credit card numbers
  • Event registration
  • Surveys that ask for personal information
  • Purchase request forms
  • Shopping carts

Customer information collection and storage: Depending on the industry in question, the level of privacy around customer information will vary. Examples of industries requiring very high security in data collection and storage are health services, government, and legal services.

What are some best practices of data collection?

  1. DO NOT collect and store client credit cards unless your company has a certified web page and database (see SSL and PCI compliance below). There are certified 3rd parties such as PayPal* that can offer services to handle e-commerce safely.
  2. Security should be an important factor when mapping out the design goals of a company website. Most sites do this with an SSL security certificate to protect web pages that collect customer information online. You can purchase a certificate from your hosting company, or there are some ecommerce platforms like Shopify* or PayPal* which have a default built-in SSL upon checkout.* Note: these are industry examples and not an endorsement or reference for these services. When you are shopping for a service provider or reviewing your current system, make sure certification and SSL, at minimum, are in place.
  3. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for global organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organisations handling large volumes of transactions; or by a Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes. Interested in more information in PCI compliance? http://en.wikipedia.org/wiki/PCI_Compliance.