Retail is an industry in transition, as technology continues topresent new avenues for consumers and businesses to makepurchases—and simultaneously gives cyberattackers new opportunitiesto steal personal and financial data.

Few organizations experiencing this evolution compare in sizeand scope with the 31,000 retail locations and 634,000 employees ofthe U.S. Postal Service (USPS). Including online and call centersales, the Postal Service processes nearly $17 billion in credit-and debit-card transactions annually, and more than $30 billionworth of ACH payments from business customers. Keeping thosetransactions secure is a duty of the treasury function.

"Treasury has responsibility for managing the contracts forpayment processing and the agreements with the credit-card brands,"says Elizabeth Richardson, assistant treasurer for customerpayments at the USPS.

Attackers could potentially target payments to initiatefraudulent transactions, steal customers' financial data, or causereputational damage, among other goals. Treasury is intent onminimizing those risks. The USPS must also demonstrate once a yearthat policies, systems, and processes are compliant with thePayment Card Industry Data Security Standard (PCI DSS). To ensurethat their organization is utilizing best practices in managingcustomers' personal account number (PAN) data, USPS treasury, IT,and security departments joined forces to form a cross-functionalpayments team.

"We took on PCI and security improvements as a joint project,"Richardson says. "Our groups worked closely together to identifyneeds and ensure solutions would be effective and meet businessrequirements. Each of the three groups got an equal vote in thetools we would use, the money we would spend, and how we wouldreach the state of data security where we needed to be."

The payments team met with technology vendors to understand whatsecurity options were available. Through these meetings, theyuncovered several areas with potential for improvement. Onerevolved around storage of PAN data.

The USPS was using encryption in storing and transmittingcustomer information, but maintaining a database of customercredit- and debit-card numbers was a risk. Moreover, card numbersappeared on forms in paper files stored by USPS call centers andthe payment-acceptance group that receives orders through the mail.The payments team saw an opportunity to eliminate these risks byimplementing "tokenization," a process by which a real, valuablepiece of data—such as a card number—is replaced with a differentnumber, a "token," that has no meaning by itself.

"Each token has the same number of digits as a credit-cardnumber," says Jeffrey Merritt, manager of PCI compliance for theUSPS. "But if someone gains access to our systems and stealsfinancial transaction data, they cannot use the tokens as theycould use credit-card information. Our goal was not to remove thesafe from the office, but to take everything valuable out of thesafe and replace those items with things that have no value."

The payments team issued arequest for proposals (RFP), selected a vendor, and implemented atokenization software solution. That part of the process "waspretty easy," Merritt reports. "What was more challenging wastransforming the way that people work." The project wouldnecessarily entail policy and process changes that affectedfunctions throughout the USPS, including order fulfillment,accounting, and call centers, plus the USPS's third-party paymentprocessors and its law-enforcement arm, the U.S. Postal InspectionService.

Once the payments team had an end-state in mind for thetokenization project, they began selling their vision to differentUSPS functions. The first step in the evangelizing was tounderstand each affected group's business processes. "We had tounderstand what they were doing so that we could assure themtokenization wouldn't interfere," Richardson says. "That required alot of communication, all the way up and down the food chain. Wehad to make sure our solution would meet the business needs of eachgroup, and then we had to show them how their systems or processeswould work in the new environment."

As an example, Merritt points to the process of researchingdisputed charges. "Perhaps someone sees two charges on their cardwhen there should be only one," he says. "Or maybe they call andsay, 'I didn't buy anything at the post office.'" Convincing theaccounting team that they should be able to research discrepancieswithout access to the card number in question required a salespitch. "In some large organizations, the accounting group wouldjust say, 'We can't do that,'" Merritt speculates. "When weapproached our accounting team, we assured them that we wouldn'timplement anything unless they were on board. As a result, we foundfolks who were willing to listen to our explanation of why theydidn't need credit-card numbers to research disputes or processrefunds. Our accounting organization deserves a lot of credit forbeing open to this change."

The payments team put a great deal of thought intocommunications and change management. "We needed to explain whatwas happening, when it was happening, and how people's jobs wouldbe affected—to hundreds of thousands of employees, many of whom hadbeen doing their job in the exact same way for decades," Merrittsays. "In communicating to that many people, you have to be veryprecise. Each audience is different and understands messagingdifferently; you have to find a way to catch their attention andmake the message relevant to them. So we gave a lot of thought tothe ways in which we created communications for each specific groupof employees."

Adds Richardson: "It was also important to recognize thatdifferent groups use different vehicles for internal communication.Some groups we met with in person. We obviously couldn't do thatwith the 200,000 retail associates in the field, but they havespecific guides and trainings that we participated in. For eachgroup, we discussed what they were doing in the legacy environmentand then talked through how their user stories would change."

The payments team gained buy-in across the company, and the USPStokenized all card information. Now, for e-commerce orders, theUSPS's payment processor receives card numbers directly fromcustomers when they enter their payment information into an HTMLinline frame (iframe) on the USPS website. "We're no longertouching that information at all," Merritt says. When an ordercomes into the call center, the customer verbally provides a cardnumber. The call center agent enters payment information intosoftware that tokenizes it before transmitting it across thenetwork.

See also:

• What Treasury Should Do to Be Prepared

Likewise, the USPS stores some customers' card information—forexample, to make recurring monthly payments for a post office box.This card data is also tokenized as it is inducted into theappropriate database. The fact that card numbers are no longerstored in the database or transmitted to the payment processor has"dramatically reduced the risk profile for locations across ourenterprise," Merritt says. "The payment processor is certified bythe card brands, so we are confident in its data security. Andwe've reduced to zero the chances that a nefarious party will getaccess within our infrastructure to card data they can use."

After training employees organization-wide on the new tools, thepayments team followed up to make sure everyone is using thetechnology in the way they're supposed to. The payments teamcontinues to look for new ways to boost security. "What we did withtokenization is a major accomplishment," Merritt says, "but we haveto be dynamically looking for new ways to protect ourenvironment."