Are Loyalty Programs Worth Your Personally Identifiable Information (PII)?

Are Loyalty Programs Worth You PII?

Here’s a PII scenario you may be familiar with:

I’m in a hurry and I just entered a retail store I’ve never been in before. Instead of taking my usual approach of observing the environment, hoping to save time, I rush to find an employee who can help me find a specific item. I find a woman nearby who directs me to the item; I say thank you and head to the register.

A gentleman is standing at the register, but the woman who helped me waves him off and continues our conversation. She tries to upsell me a couple items and I politely decline.

She tries one more item and I finally say, “No, thank you. Just this,” while handing her my credit card.

“Have you shopped here before?” she asks. I say, “No.”

She then quickly follows up with, “What’s your phone number?”

That’s an odd question. Is this a pick-up line? I pause and say, “If I said I had shopped here before, what would your next question have been?”

She looks at me kindly, naively and says, “What’s your phone number?”

Regardless of your shopping history or interest in other products, retail stores want your personal information so they can offer promotions, rewards, and coupons.

The risk of voluntarily giving your PII at checkout, adds your PII to one more database, which can potentially be breached. Think carefully about what stores are offering and consider only joining loyalty programs that provide a clearly stated benefit that YOU desire. If you’re caught off guard by a request for your personally identifiable information (PII), don’t hesitate to decline.

I’ve heard some people reply, “I’m sure the hackers already have my information anyway,” or “I don’t have anything a hacker wants, so what does it matter?” It matters because part of practicing good security habits is making yourself as small a target as possible. The “why does it matter” approach to security is like unhinging the front door to your house–the behavior creates risk.

Some things to think about:

Learn more about what companies are required to do to protect your information under PCI DSS regulations.

About the Author

Paul Fletcher - Cyber Security Evangelist at Alert Logic

Paul Fletcher

Paul Fletcher has over 20 years of experience in information technology and security. Prior to joining Alert Logic, Fletcher advised executives in the energy, retail, and financial sectors regarding emerging security threats and mitigation strategies. Additionally, he has worked with Fortune 50 organizations, the Department of Defense, and critical infrastructure organizations to implement risk management plans and security solution designs. His other specialties include network security, customer data integrity, application security, forensics investigation, threat intelligence, and incident response. Fletcher holds a Master of Arts and Bachelor of Science degree and is a Certified Information Systems Security Professional (CISSP).

@_PaulFletcher | Email Me | Articles: 8