This paper examines the implications of IT security for online retailers, using Zappos as a case study. It analyzes the company's multi-level IT security strategy, including SSL encryption, secure firewalls, and PCI compliance protocols. The paper also identifies potential vulnerabilities, particularly regarding social engineering risks among customer-facing employees, and emphasizes that effective IT security requires organizational culture and human resources commitment alongside technological solutions.
The implication of IT security for online retailers is fundamental to ensuring consumer confidence and trust (Streeter, 2009). Moreover, online consumers are far less forgiving of IT security failures than they were just a few years ago, based on their positive online experiences with other secure sites (Streeter, 2009). Lapses in IT security can also cause a loss of business and a diminution of consumer goodwill that has been accumulated over the years, resulting in a loss of competitive advantage (Mishra, 2009). For companies such as Zappos, where consumers' perception of the "look and feel" of their product line is limited by the online retailing experience, ensuring the security of transactions is a paramount consideration. In this regard, Mishra emphasizes that, "Unfortunately, the Internet in its current technological form is a poor service delivery medium because it lacks the capacity for direct personal interaction enjoyed by most noninternet-based services" (2009, p. 128).
When any condition adversely affects consumers' online shopping experience, it is reasonable to suggest that it will have a corresponding impact on their propensity to complete a retail transaction or to engage in repeat business. As Mishra points out, "Various researchers have reported poor perception of e-service and many blunders seem to occur because e-companies fail to deliver real added value services to the customers and to meet their expectations" (2009, p. 129). Taken together, it is also reasonable to suggest that it is vitally important for online retailers such as Zappos to have timely and effective IT security policies and procedures in effect organization-wide. These policies and procedures are essential for protecting both the organization and its customers from emerging threats in the digital marketplace.
The company employs approximately 1,500 individuals, with about one-third of these employees located in their help desk and order fulfillment centers (Looking ahead, 2014). The computer servers at Zappos.com are all protected by Secure Sockets Layer (SSL) and secure firewalls that are specifically designed to maintain the security of all digital information and to ensure its access only by authorized Internet users (Protecting your personal information, 2015). The SSL protocol is used to manage the security of data transmission on the Internet (Kanabar & Kanabar, 2009). Web pages that are prefaced with HTTPS rather than HTTP are protected by SSL (Kanabar & Kanabar, 2009).
There is a potential for social engineering to defeat these security protocols, though. Help desk and call center employees at Zappos are encouraged to be friendly, cordial, and humorous and are even advised to "be a little weird" in communicating with customers. For example, in response to an inquiry concerning the fact that the company's Trustwave seal was not operational, a company representative responded with a lengthy, personable message that included assurances about site security and offered to help the customer in multiple ways. However, this response failed to address the original question as to why the Trustwave protection was not in place. A subsequent email to this effect met with another friendly response acknowledging the oversight: "I did go to our safety page, and you are correct; Trustwave, for some reason, is not recognizing our website, despite the many articles and web searches that link us with them. I have forwarded this information on so that this may be corrected."
A recent visit to the personal protection page at Zappos reveals that the Trustwave protection seal has been removed. Nevertheless, these exchanges underscore the fact that in their zeal to fulfill their goals of being friendly, cordial, and "even a little weird," Zappos employees could unwittingly divulge proprietary information concerning the company or provide unauthorized access to other customer data. The balance between customer service excellence and security vigilance remains a critical challenge for the organization.
The company places a high priority on the effective collaboration of its teams irrespective of the format in which they meet (Zappos Family Core Values, 2015). It is therefore vitally important to ensure the security of the proprietary information that is shared between members of these teams and the teams themselves, as well as between the company's individual departments.
Zappos currently operates the following departments: Facilities (responsible for stocking the free food and beverages the company provides to all employees as well as shipping and receiving, office supplies, and maintenance); Finance, Treasury and Accounting (responsible for all financial issues, including payroll processing); Help Desk (tasked with the provision of online and telephonic customer support services); Human Resources (providing conventional human resource services, including administering employee benefit programs); Information Technology (responsible for implementing, maintaining, and upgrading the company's IT systems); and Legal (responsible for the legal aspects of doing business, including protection of the company's intellectual property) (Zappos.com Inc., 2015).
Interdepartmental communications should be protected using a secure company intranet that is not linked to the Internet. In addition, all communications and collaborations between these departments must be conducted with a view towards an organization-wide culture of IT security. This approach ensures that security is not the sole responsibility of the Information Technology department but rather a shared commitment across all organizational units.
The company is PCI compliant and encrypts all of its organizational connections using SSL technology. This is just a minimum standard, though, for companies doing business online. In this regard, Hammermaster (2010) reports that, "Payment Card Industry (or PCI) compliance is a requirement of all businesses that interact with credit or debit cards. PCI compliance ensures that your clients are up to date on the latest best practices to protect their business and their customers from card payment fraud" (p. 22).
In addition, Zappos also encrypts payment information that is transmitted within the organization. According to Zappos, "All payment information is encrypted while in storage within a network that is firewalled off from the rest of the company and the internet" (Protecting your personal information, 2015, para. 2). This type of end-to-end encryption is widely regarded as a minimum standard of protection for retailers doing business online. Hammermaster (2010) reports that, "End-to-end encryption (E2EE) starts with payment capture devices and goes all the way to the transaction being authorized. E2EE prevents the card account data from being stolen electronically, and lessens the cost and impact of becoming a PCI-compliant business" (p. 22).
Notwithstanding these protections, the organization's reliance on a Web hub for its central core business means that everyone must be committed to IT security in order for these protections to be effective (Foster, 2001). As Foster emphasizes, "In the end, company owners and managers must realize that Internet security is a cultural and human resources issue that cannot be solved by technology or policy alone. Instilling a positive organizational culture is the only sure way to guarantee that your employees will be productive and that your company's goals will be met" (2001, p. 34). Although the company emphasizes that its fraud rate is lower than the industry standard, it also concedes that Zappos' IT team remains hard at work in minimizing fraudulent activity on its website.
At present, it is unclear whether the company uses SSL encryption in its online communications with other organizations, but this should be a condition of doing business with Zappos for organizations that access and process sensitive information. The company maintains business partnerships with more than one thousand brands and a wide array of supply chain partners. Transactional data is therefore exchanged with hundreds of other businesses thousands of times every day. Based on the company's meteoric success to date, it is reasonable to conclude that it has managed this aspect of IT security effectively.
"Partner data exchange and global transaction protection"
You’re 94% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.