Protecting Customers

Scott Repasky
Written by
Last update:

From the Experts

The number one way to protect AND grow your customers is through customer support and service. Being accessible to your customer, responding to them quickly, and giving them the attention and service they deserve, will assure them that they made a good choice for choosing you and will encourage them to continue to purchase products and services from you.

Key Considerations for Securing Customer Data

What Hackers Look For

When hackers are hacking into networks, they look for critical points of entry. This is something businesses are not doing enough of. Even though businesses are now aware of what to look for, they are still not being thorough enough in preventing these entry points.

Some of the things hackers get in through are software updates, virtual private networks, authentication systems, domain name service, and application frameworks.

Now if businesses see those as a weakness, consider this. 80% of major security breaches come through hacking. About one half of the total amount comes from SQL injection and only a quarter from cross-site scripting. And even in those attacks, it’s not always about vulnerabilities in the software but rather about lack of input sanitation. That means coding mistakes.

In short, when businesses hire a developer and go through a hiring process, they’re not looking in the right place. They are not looking for people who can code well. They are not looking for people who understand good coding practices.

And so hackers are getting in and causing business owners to lose millions of dollars in data breaches. Their issue is that they are not being thorough in screening potential candidates.

The good news is that businesses can turn this around. When businesses start being thorough in screening potential developers, they can not only do their jobs better but also help in protecting businesses from data breaches.

Bad Passwords

What Not to Do

Passwords are vital to the security and privacy of websites' data. One of the most common forms of attack on web-based systems and databases is the username/password combination attack. The easiest way for an intruder to gain access to a website is to simply submit likely combinations of usernames and passwords. This is why it is imperative that every username/password combo submitted be unique.

While there are many things that can be done to boost the security of a website, one of the most effective ways to thwart username/password guessing attacks is to limit the number of attempts that can be made before the account is disabled. This helps thwart the bot-based attacks that are frequently used to compromise vulnerable websites.

To protect users from having their accounts locked out, it is recommended that the sites do not block the current connection when a bad password is submitted. Rather, each attempt should be in a new browser window or tab. This will prevent users from having to repeatedly re-connect to the same page before they can try again. Another very practical method is to allow limited re-trying and have the user enter their email address to disable the lockout after the specified number of attempts.

Stored Customer Data

Customer information and login credentials are important for businesses and online stores. They are the key to success. In fact, many small businesses survive by their reputation and the trust customers and clients place in them. Data breaches are a growing problem for many businesses and are something many businesses don’t realize is a threat to their customer’s privacy.

Advances in technology are helping businesses grow, but they are also presenting businesses with new security challenges. New cloud-based storage and backup solutions are all increasing the amount of data many businesses are storing. In fact, many of these services route all information through a web portal that uses a single password. Data breaches can compromise sensitive information stored in customer logins and passwords, including credit card and Social Security numbers.

Many small businesses are not aware of these potential threats, even though better cloud based security solutions are becoming available. Here are a few basic steps you can take to help you protect your customers’ personal information, including credit card and Social Security numbers.

Use complex passwords

A strong password will resist cracking attempts. A password is considered strong if it's at least eight characters long, contains both letters and numbers, and contains at least one of the following:

Systems That Aren’t Updated

Keeping servers updated and the web applications secure is a good practice for the security of your customer’s information. An outdated system is a security hazard, potentially vulnerable to hackers, malware, and viruses because the system is not current. Additionally, not having the applications updated decreases the speed in the system and may cause problems for the performance of the server. This causes troubles from a functional perspective, and security risks from a safety perspective.

Updating a site is not a difficult process and it is often done by the client through a hosting company. If you find yourself browsing a site and wondering why it’s so slow, make sure the site is up-to-date. If you find a site has not been updated in years, it might not be the safest place to be browsing, especially if you have not visited the site before.

Low-Tech Points of Attack

Keeping your customers 100% safe should be of the highest priority, but security can be difficult to maintain. There are many types of attacks that can be activated at the last minute without any previous indication. However, there are some irregular events that are more indicative of Ransomware, DDoS, or other issues. Do you have a plan in place to handle potential threats in case they arise?

Before you dive into a security concern, it helps to be aware of the different types of attacks that your company may experience. This can be another point to include in your business continuity plan to alert customers of potential security risks.

Here are a few examples of attacks that your company could potentially face:

Reconnaissance Attacks

These attacks require an attacker to gather information in order to plan a larger attack at a later date. An attacker may gather information on the company, including public information such as business hours and contact information as well as information on their customers.

Scanning Attacks

These attacks involve a hacker to probe the online security of a company. In this type of attack, an intruder will use a port scanner to identify and to attempt to connect to possible vulnerabilities in a company’s online security.

Non-Isolated Payment Networks

The payment industry and global transaction services industry VisaNet, MasterCardNet, and American Express Global Network connect thousands of financial institutions around the globe. Some people, not necessarily in the industry, believe that when you get your credit card declined, you get a notification from the bank, fraud detecting company, or the credit card issuer instead of the merchant.

That’s not how it works, nor how it is supposed to operate. The credit card issuers and fraud detecting companies should only get the notification about a transaction’s approval or decline. But here’s the catch. The banks and credit card companies lose the money on declined transactions. However, the person or business receiving the money should take full responsibility for the transaction that was declined.

If you’re a person who believes the banks and credit card companies are the ones who should take care of the situation, you’re wrong. The only person or business that actually has to make sure you get your money back is the person you originally purchased the goods from. The financial institutions will not compensate merchants for declined card transactions. Besides, merchants usually have insurance covering fraud or fraudulent transactions.

Complying with PCI Data Security Standards

Credit card data protection is a serious issue because of the very nature of what you do as a business owner. Your business exists because people want to use their credit cards to buy goods and services. This means you handle financial information every day.

The rules used to govern how you, as a merchant, store and protect this information are called the PCI Data Security Standards (or simply, the PCI Standards). They've been around in various iterations for quite a few years now and were last updated back in May, 2015. These standards set the bar for protecting customers’ card data, but also rely on you to protect their privacy as you store and process their data.

Knowing the basics of the PCI Standards and how to meet them is a must for every business owner. In many cases the standards are made more clear by issuing security guidelines from various card brands including Visa, MasterCard, and Amex.

As a business owner, you need to:

  • Accept and process all major credit cards.
  • Protect cardholder data.
  • Protect the network infrastructure.
  • Manage third-party data security.
  • Implement and maintain a policy to handle data breaches.

Security Terms Worth Knowing

While profiling your customers and taking security measures that best fit your customers’ needs are also important, there are some basic security terms and definitions that you should know to help your company avoid falling victim to fraud. Credit card fraud is one of the most common types of retail fraud. This occurs when a criminal uses a legitimate card without the card holder’s permission and often commits identity theft.

When we say credit card thieves "steal" and "damage" cards, we aren’t using figurative language. They actually steal, damage, and in some cases, even change the number on the card. They can do this to make the card usable, because the card can be reversed if the owner is found. So, before you read through the different types of fraud, let’s define the terms used in the industry.


Sockets Layer:

Transport Layer:


The Future of Card Security… What does it mean for businesses?

Would you like to protect your customers’ payment information and improve your business security? Then you want to check out tokenization. First things first: It’s not plastic. Tokenization is a form of data security that replaces sensitive, personal information such as payment, cardholder, and personally identifiable information (or PII) with a unique identifier represented in a single-use digital token.

When a token is compromised or stolen, it creates a risk impact that’s limited to a single-use application, which won’t affect the rest of the business operations. Tokenization helps businesses and organizations reduce the impact of payment security breaches and it avoids the loss of any customer or cardholder data.

Below are 6 common myths relating to tokenization that we’d like to clear up for you.

Two-factor authentication:

Two-factor authentication is a security standard. It was created to proactively address malicious attacks. For example, when an cyber criminal tries to hack an account, a cyber security assistant recognizing suspicious signal can flag the account. Another form of two-factor authentication is when you are logging into your account and a text message or an email is sent to you. It is a great method of keeping your customers’ data safe. Here's how Salesforce sets up two-factor authentication.

Salesforce login process with two-factor authentication:

The user accesses Salesforce and attempts to log in. The customer assistant recognizes the request as valid or a possible anomaly. Customer assistant identifies the computer or device is associated with other user Salesforce accounts. Customer assistant recognizes the identification is in the customer’s corporate address range, and then authenticates the request. Password is matched with a master password associated with Salesforce account. Salesforce verifies the user’s identity by sending a two-factor authentication code to their phone. Authorization Schemes – Salesforce encrypts the JSON Web Token and sends both the encrypted token and a second cryptoseal (the shared secret password) to the user’s phone. The user enters the password and the code. Salesforce validates the shared secret and the code and authenticates the user.

Monitoring for Signs of Payment Fraud

Your business relies heavily on credit card purchases from your customers, which also means that you are vulnerable to payment fraud. Whether it’s fraud by individuals or groups of bad actors, you need to protect yourself. If you encounter a fraudster, the damage they can inflict on your business could seriously impact the hard work you’re putting in. Businesses that deal with e-commerce are especially vulnerable because there are more fraudulent transactions, such as card not present (CNP).

Protecting yourself from e-commerce fraud doesn’t have to be difficult, and there are several easy ways you can:

Monitor for signs of payment fraud in your business.

Design a payment system that is secure and requires minimal processing.

Use data analysis and digital identity solutions to identify fraud.

Protect your business whenever possible.

This chapter will help you understand the signs of payment fraud and how you can deter fraudsters from using your credit card terminal and your business.

Customers Who Can’t Get Into Their Accounts

If a customer is locked out of their account, there are many reasons why. In many cases, it is the customer blatantly ignoring the rules, using auto-logins or password recovery emails generated by the customer’s browser. In these cases, the problem is not on our side.

In most cases, we or the customer has changed a password or attempted to access accounts using a too-similar password.

If a customer reports they cannot get into their account due to a password change and they claim that the old password doesn’t work, the site operator should usually check the following. A good start is to use the following sequence of steps, in order:

{1}. Check the plaintext on the account to see if they entered an old password.
{2}. Make sure the customer is actually using the correct e-mail.
{3}. For security reasons, we would ask the operator to check with their server for logs.
{4}. If the account has been accessed recently, make sure the site is using strong passwords and they are not using a password reset service or saving passwords in browser.
{5}. If you must use a password reset service, make sure it is email protected and they can’t save the link or click on it.

One Address, Many Orders

When you have a warehouse full of orders, products that are becoming obsolete, and a small staff, it can be difficult to maintain inventory in house. If this is the case for you, you will need to ship directly to your customers. When your customers ask for an address, you can quickly provide them with the virtual one of the software.

To connect your software to the shipping company's gateway, you'll need to provide the following two pieces of information:

Account number / Username: this will allow you to integrate shipping rates to an account number

Protection of your customers is always important. You can never be too careful when sharing sensitive information with other vendors. If you have any doubts, check with your sales manager, customer services rep and/or tech support team, to see if they offer a crash course in privacy and security. They should be able to point you in the right direction and teach you how to keep your customers protected.

Compromised Payment Terminals

The Lookout blog has an entry on how attackers are compromising automated teller machines and other POS (point of sale) terminals in order to skim credit card numbers from unsuspecting victims.

The way this scheme works is that there are some malicious software programs that, once installed on the compromised terminal, can read the data off the magnetic strip on the back of a card and stores that data on the device. This could include both card numbers and the name of the cardholder, as well as their expiration dates. All of this data is stored in a stolen data storage vault that's usually available via a pre-paid mobile phone number or through an anonymous internet connection.

The stolen data storage vault is then put on sale on criminal forums. This information will be sold to fraudsters, who will then go about cloning credit cards and, in some cases, purchasing stolen goods over the Internet.

Another way that criminal organizations use compromised credit card terminals is for skimmed card data. This data is then used for a variety of fraudulent purposes. It may to purchase larger goods and services from a variety of different suppliers or it can be used for fraudulent identification purposes.

The Chargeback Conundrum:

Limit Chargebacks to Limit Fraud

When it comes to fraudulent chargebacks, it is the merchant who is left to pay the court costs and the fines associated with the chargeback. Another troubling aspect of chargebacks is that a merchant cannot legally recover any lost revenue or fees associated with the chargeback.

The good news is that some card processing companies have come up with a way to protect customers and limit chargebacks. For customers, it helps them feel safer when shopping online. For merchants, chargeback percentages are lower. To understand how the solution works, we have to take a look at the current fraudulent chargebacks process:

A consumer initiates a chargeback request by filling out a generic complaint form with the credit card company.

The credit card company then requests documentation from the merchant.

The merchant then has to send all documentation to the credit card company.

The credit card company then reviews the documentation and decides if the chargeback should be approved.

The card is still in the hands of the merchant, but a hold is put on the funds for seven to eight weeks while the credit card company investigates the chargeback.

Can You Ask for ID with Credit Card Purchases?

Many retail stores who accept credit cards have a policy that prohibits asking for ID on credit card purchases. However, there are some exceptions. For example, if the credit card is being used by an organization or business such as a restaurant that is reimbursing an employee for a purchase, then you can ask for ID. Also, if the credit card holder is an elderly person and you need to verify the signature on the back is valid, then you can ask for some identification. However, if there is no personal contact between the buyer and store employee, it is not okay to ask for proof of age or identity.

What Causes Data Breaches

A security breach is an incident in which unauthorized third parties disrupt, corrupt, or gain unauthorized access to a system or asset. An attack may be an internal process designed to steal or corrupt data, or an external process against a customer designed to steal, corrupt or destroy data. These attacks are not bound by time or geography and may utilize online interfaces, local access methods, or remote network attacks. Since the end of the first dot-com revolution, security breaches have been on the rise, and they’re costing businesses billions every year.

There are different Types of Breaches:

Attackers causes Data Breaches by stealing sensitive data from a company's networks, which can be used by identity thieves to commit fraud, by corporate spies to gain a competitive advantage, or by cyber terrorists to bring down utilities, banks, or government websites. For example: in 2012, an employee of the St. Louis, MO police department had his flash drive stolen, which contained thousands of fingerprint files and personal identification information.

What to Tell Customers About Breaches

Before last year, issuers were required to notify customers about breaches involving certain types of information, including Social Security numbers (SSN), account numbers, and driver’s license numbers. The regulator recently voted to postpone this requirement until later this year. The delay gives issuers more time to consider how to communicate with customers about these types of breaches in a way that is effective and timely, while protecting customers’ privacy and improving accuracy.

What Issuers Should Do

Communicate with customers in a rapid, transparent, and accurate way.

Understand that the delay to the breach notification requirement means consumers will quickly lose their right to freeze their credit. This is a risk factor that issuers should include in their risk management processes.

Help consumers understand that the delay provides issuers more time to consider the right way to communicate with customers about suspected breaches.

Build in policies and systems so that if a breach is identified in the next few months, issuers can still communicate quickly, fairly, and in a context customers can easily understand.

How the breach happened

According to the article published by the Brisbane Times, the cause of the breach was a spreadsheet containing Brisbane City Council (BCC) customer information which was not appropriately password-protected. This opened the spreadsheet up to being viewed or edited by anyone with access to the Google Drive, who had permissions to do so. While the spreadsheet was, indeed, password-protected, the document could still be viewed. People outside of BCC could view the document, but not make changes, because users were required to log on using their Google credentials.

What information was taken

Account details for 35 of the company's customers were compromised, including personal data like addresses and email addresses.

What steps is the company taking to protect customers?

Fancy Hands has hired an external security firm to investigate what happened and is currently in the process of notifying its customers. The company also says it will be taking additional security measures to prevent a future breach.

What else are customers being told?

Fancy Hands isn't saying exactly how the hackers gained access to customer information. The company does believe that the information was taken from its systems and not gathered elsewhere or through other means. Fancy Hands has explained that it's now implementing additional security audits and technology that should prevent another breach in the future.

Main Takeaway

Fancy Hands is taking steps to protect customer information, but this is certainly a scary situation for any customer who may have had personal or financial information stolen. It may be a good idea to monitor financial and credit card statements for suspicious activity if you happened to be one of the company's customers affected.

How the thieves have used the information (if you know)

A friend's information has been stolen, again. She has had this happen to her several times. She allowed someone to come to her house to get something and someone stole the information off of her. She didn't allow anyone to come to her house, but at least three times someone has used her ATM card.

The first time, she was in the bank withdrawing money. She left her ATM card in the ATM machine. The bank told her that someone in another area bank, that Alice had never been in, had taken money out of her account through an ATM machine.

Alice was upset and started monitoring her accounts closely. Within one week, when she went to the grocery store, she went to her bank to pick up her groceries. She had placed her check and money in her handbag. Someone came up from behind her and grabbed her money and check.

After that, Alice wouldn't leave her handbag out of her sight. It had taken Alice almost two months to pay the bills from the theft in the grocery store, but she insisted on paying them. The crooks were going to be paid and the checks wouldn't bounce.

What actions you have taken to remedy the situation

Customers expect a response, action and redress, when they have had a bad experience with your company. The best redress you can give is a refund for the integrity of the item or service you delivered, the bonus reward of making it right for that customer. This is at the heart of your reputation.

Is the supplier of the item or service that you have supplied, able to resolve the issue quickly? If you are at fault, how will you go about rectifying the issue?

The more proactive you are, the less room for customer complaint and the less problems you will have. Being able to resolve issues quickly is one of the best things you can do for your company and for your customers.

What actions you are taking to protect individuals, such as offering free credit monitoring services

Is important to customers.

In B2B sales, retention of existing customers is key. Businesses lose an average of about 11% of customers annually. This is in part due to consumer dissatisfaction with a B2B business. That means a healthy percentage of these matters will result in customers filing complaints, topics which may also affect your business reputation. As such, customer care is one thing above all others that you must excel at, whether you are making sales through social media or cold calling. Therefore, it is important to protect the information you share with customers.

The first step in protecting yourself and your customers is to assume your Facebook Page, Twitter feed, or other account will be breached at some point. No matter how secure you think your accounts are, there is no guarantee someone will not gain access to your information. Take the time to set up strong passwords and to periodically check on your privacy settings to make sure you are only sharing the information necessary for you and your business to run successfully. For example, do not provide your home address or cell phone number, as neither is needed on your Business Facebook Page.

Once you have taken the basics steps to better your privacy settings, inform customers of your best efforts. Also, let them know that if anyone should breach your privacy settings, and be able to access any of your customers’ information, you will take swift action to protect everyone’s information.

How to reach the relevant contacts in your organization

A common challenge in many companies is to find the right person to get in touch with if you have a concern or feel mistreated by a specific person in your organization. This should be easy if you only have a couple of people to choose from but when you have a large organization and many departments it can be a real challenge.

Most organizations have a complicated hierarchy with different management levels and various functions addressing specific customer needs. A customer who feels mistreated by a particular person is obliged to contact that person's direct supervisor, when the contact person is not the right one, finding the correct one can be a problem.


Whether you’re using Lean Thinking or Lean Principles to improve an existing operational process or are starting a new Lean journey, it’s important to meet and grow your team as you go. Through this book I hope you’ve learned the benefits Lean offers, have agreed with some of the principles, and have gained deeper understanding into how you and your team can improve processes by thinking differently and “being different ”from the rest of the organization. This can be scary, but as you’ve seen through my stories and experiences, my team and I have learned that it’s very possible to maintain harmony between improvement and operations. We’ve achieved this by sharing our action plans, proceeding carefully, open-mindedly, and by considering in advance how our approaches may affect our customers.

The book is over now, but the adventure is just beginning. There are loads of techniques, tips and tricks out there that can help you and your team on your journey, and together we can all take the principles of Lean Thinking and Lean Principles forward.

Additional Resources

  • [Customer Support Secrets: What are your Numbers?](/skills/customer-support-how-to/customer-support-secrets-what-are-your-numbers) – Opens in a new tab
  • [Customer Support Best Practices: What are your agents doing with tickets?](/skills/customer-support-how-to/customer-support-best-practices-what-are-your-agents-doing-with-tickets) – Opens in a new tab