Data is the underlying reason for your decision to embark on a loyalty strategy. It’s the data that unlocks all the opportunities and, ultimately, the experiences you can deliver. Keeping this data secure needs to be your top priority.
It goes without saying that you need to ensure your customer data is protected. Therefore, you should look for a loyalty vendor that guarantees high-end security for your customer data. To assess the loyalty vendor from the data security perspective, the first step is to find out about the security protocols the vendor has in place for safeguarding the data. Does the vendor have security and compliance certifications that demonstrate they’re secure enough to collect and manage your data? Next, ask the vendor for their position on collecting data. Most loyalty vendors will talk to you about not sharing personal identifiable (PII) or payment card industry (PCI) data if it’s not needed. This isn’t because they don’t have the standards to keep your data secure, it’s because they understand that the fewer places your data travels, the better. Typically for loyalty, you will want the vendor to collect PII data. You’ll want customers to create a profile and share their preferences with you. On the flip side, it’s seldom necessary for a loyalty vendor to collect or use PCI data (such as credit card information). Next, you need to ensure that your data is stored properly. Your foremost security concern should be about where and how the customer loyalty data is stored—whether the vendor deploys in-house servers for this purpose, uses cloud services, or leverages third-party data centers. The data collected will need to flow between systems. For this, the vendor will follow standard encryption rules and ensure the data is encrypted both at rest and in transfer. You may also find out if the vendor's loyalty platform facilitates data exchange with other applications via a totally secured channel. It's crucial to know if the loyalty solution includes the essential security measures that allow only the authorized people to have direct access to the data.
Globally there is a significant movement happening, both in the U.S. and abroad, to protect people’s privacy. This movement is requiring companies to be good stewards of peoples’ data—including safe keeping of the data as well as giving customers a say in how a company uses their data. This started in Europe with the General Data Protection Regulation (GDPR). Then came the California Consumer Privacy Act (CCPA) which morphed into the California Privacy Rights Act (CPRA) in California. Ten U.S. states have hopped on board and now the federal government is looking at legislation to ensure the safety of personal data. Plus, new laws have come to fruition across the globe, including new laws in Australia. GDPR compliance ensures your data stays private and secured—it’s a prominent data protection standard set by the European Union. GDPR is designed as a standard framework for data protection, which global service providers commit to maintaining to ensure optimum privacy of their client's data. To reiterate, GDPR is only one of the many laws being enacted. Your own company compliance team should have a solid understanding of these laws. Make sure that your loyalty partner uses a similar standard.
One way to really kick the tires on your loyalty provider is to understand if they’ve gone through and completed IS27001 and SOC 2 security compliance. ISO27001 and SOC 2 standards evaluate the vendor's effectiveness against specific security principles and related data security criteria. The loyalty vendor's compliance to SOC security standards establishes the fact that the vendor fully meets the established security criteria and is competent to prevent unauthorized access to data.
Let's dig into the SOC 2 Type 2 evaluation.
ISO/IEC 27001 is an international standard for how to manage information security.The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)—the aim of which is to help organizations make the information assets they hold more secure.
Most organizations have a number of information security controls.However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed independently of IT or information security, while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
Note that ISO/IEC 27001 is designed to cover much more than just the IT department.
What controls will be tested as part of certification to ISO/IEC 27001 is dependent on the certification auditor. This can include any controls that the organization has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.
The controls reflect changes to technology affecting many organizations—for instance, cloud computing solutions.
Let’s dig into the SOC evaluation. It’s a multi-level evaluation across multiple principles.
The SOC 2 Type 2 audit is based on criteria used to evaluate controls relevant to the security, processing integrity, availability, confidentiality, and privacy of any system. The SOC 2 Type 2 report includes audit details of the service organization controls outlined by the Trust Services Criteria (TSC) set by AICPA.
IT system software and application programs
All manual and automated procedures
Personnel using the system
Physical, IT, and related hardware
Files, tables, data bases, transmission streams, and output processed by a system