Securing Customer Data – A Playbook for Print Service Providers

From Target to Home Depot, Equifax, and Uber, it seems that consumer data is an easy target for cybercriminals today. While consumers routinely surrender scores of personal information to retailers, healthcare providers, financial institutions, and social media sites, one can’t help but wonder: Who has access to this information – and how is it being protected?

As a print service provider (PSP), you have an obligation to secure customer data according to a host of government and industry standards. And, with fraud ever-expanding across the consumer landscape, the cry for data security across your systems and applications is louder than ever.

“For today’s printer, securing data is paramount,” said Ryan Kiley, director, strategic production services, commercial and industrial printing group for Ricoh. “Every single printer handling even potentially sensitive data needs to develop and adhere to a set of security protocols.”

Tim Coker, information security practice manager for All Covered, the IT division of Konica Minolta, added, “It could be very important to a PSP’s business if the data it is receiving from clients contains PII (personally identifiable information) or other confidential data. If you have that kind of data, you become subject to federal, state, and local regulations as to how to protect it.”

Kristen McKiernan, president of AccuZIP, Inc., notes that security mandates are particularly important for PSPs that conduct mailings for clients or offer data quality services. “Data must be protected and stored in a secure physical environment and encrypted in digital communications,” she said.

For most PSPs, securing data is a complex task, though, says Kiley. “Because print systems have so many moving parts, there is a large threat surface,” he said. “Production hardware often has several servers, network controllers, hard drives, and so on. Security needs to be baked in or added to each of these. It’s also important to remember that implementing security is not solely limited to the print device itself, but also, and equally importantly, to the main elements of workflow that the job interacts with.”

Choose the right partners

To ensure customer data remains secure, Thomas Schnettler, head of business development in Europe for locr GmbH, advises PSPs to only partner with businesses whose operations meet the highest data security standards. He notes that locr adheres to the rules and restrictions of the German Federal Data Protection Act (also called the Bundesdatenschutzgesetz or BDSG), “one of the strictest data protection regulations in the world,” he said.

AccuZIP software is SOC (Service Organization Control) 2 compliant today, and will soon be HIPAA (Health Insurance Portability and Accountability Act of 1996) compliant as well, a certification, McKiernan affirms, that will “ensure that AccuZIP has all the administrative, physical, and technical safeguards in place as required of a HIPAA-compliant data center and business associate.”

Conduct a thorough security audit

To ensure that the right tools and practices are in place, says Schnettler, PSPs should conduct a comprehensive security audit. 

“A company needs a working and serviced firewall, working and serviced virus detection software, and a company security policy based on the existing laws and regulations for data security in the country in which that business operates,” he said, adding that security needs to be kept up to date, as well. “It is basically not a question of what types of hardware or software are implemented. It is mainly a question of how they are maintained.”

Patch your systems

According to Kiley, to protect data well across the environment, physical security, network security, and employee training all work together – and must be actively managed.

“Physical security involves restricted access, unique passwords, chain of custody audit trails, and secure hard drive disposal, among other things,” he said. “Network security includes developing a patch plan that keeps operating systems and applications up to date, implementing firewalls, and conducting vulnerability assessments. Employee training should show employees both security best practices in their day-to-day work and how to identify vulnerabilities as they arise.”

Schnettler also recommends limiting data access to only those employees who absolutely need it. “Any customer data that is used needs to be handled securely during the whole production cycle,” he said. “Only a few people should have access to this data and prepare it for production.”

It is also important to recognize that some types of data are more sensitive than others. “PII is the first thing printers have to protect, including names, addresses, social security numbers, and birth dates,” said Coker. “After that, any data that is considered confidential or critical to their customers requires protection.  Finally, PSPs need to secure their own internal business data.” 

McKiernan adds, “PCI (payment card industry) data and ePHI (electronic protected health information) need full protection. If usernames and passwords are required to access the customer’s data, these should be secured or encrypted as well – and communicated through controlled protocols.”

Respond swiftly to a breach

While no PSP wants to grapple with the aftermath of a security breach, cyberattacks can happen, even when precautions are taken. Here’s how to minimize the damages.

“The first thing a PSP needs to do is go through the process of determining if there was a breach,” said Coker. “This requires forensic investigations into the incident, and a lot of times printers do not have the internal expertise to do this. If that is the case, they should reach out to a third party to conduct the investigation.” 

Once a breach has been confirmed, McKiernan advises PSPs to take immediate action to mitigate or eliminate a continued breach. “Change credentials of the digital systems that have been hacked, and contact legal counsel on how to proceed,” she said.

And, communicate, says Schnettler. “Don’t play games. Tell your customer the truth. You may not like it. Your customer may not like it. But show them how you solved this case.”

Kiley added, “All you can do at that point is mitigate the damage and show what steps you’re taking to prevent a similar breach from happening again.”

Today’s data revolution

While embracing proven security tools and tactics is essential, McKiernan reminds PSPs that the industry is changing. In the era of Big Data, brands continue to deliver even more information into the hands of PSPs. “With the increased popularity and effectiveness of personalized variable data printing, more and more customers are trusting their printers with personal data that must be protected,” she said.

With so much data at stake today, says Coker, print buyers are also calling on PSPs to verify their security practices. “Very soon, to win or even keep contracts, a PSP will have to meet vendor assessment requirements, and will have to conduct vulnerability assessments to prove that its environment is secure,” said Coker. “A lot of printers have not had to do this before.”

Schnettler added, “Everyone thinks that more data is more effective. But, is this really true? Is it better to mail to thousands of addresses, even if most of them are not in a location to do business with you? Our concept is this: Send out less, but gain more by investing in other means of marketing like better paper, additional colors, varnish technologies, and personal URLs. It’s not always important to have more data, but to use the data you have more wisely by segmenting it either by geography or other demographics.”