Lockdown Data Security – Now!

According to Automotive Management’s recent Outlook 2022 Car Dealer Survey, 68 percent of dealers now offer an end-to-end online car retail solution and 78.7 percent provide home delivery. While this trend in online retailing and remote delivery was accelerated by the pandemic, the trend was gaining ground well before we felt COVID’s full impact. A 2020 Cox Automotive study on How the Rise of ‘Digital’ is Changing Consumer and Dealer Experiences revealed that two out of every three consumers were more likely to buy a vehicle online.

This rapid growth in digital and remote sales tools certainly addresses the consumer preference to shop online for their next vehicle. However, there are potential risks, including the rise in cyber-attacks. According to the nonprofit Identity Theft Resource Center, more than half of all small businesses in the US experienced at least one security or data breach in 2021, a 17 percent increase from 2020, at an average expense of $250,000 to $500,000 per incident.

Avoiding an extremely expensive and brand damaging data breach should be top of the to-do list for any business owner. But where do you start? Certainly, ensuring your internal IT department is operating with the latest software and security protocols is a requirement. But what about business partners and service providers? Could a third-party breach take them down as well as well?

At EFG Companies, we identified these issues and risks several years ago and embarked on a process to aggressively pursue heightened controls and protocols for our data security capabilities. In addition to our own proprietary applications, EFG integrates with close to 25 external platform and menu providers across seven business divisions. Managing and maintaining data security requirements across these myriad systems is a large task, but we take our role as a business partner seriously.

This year, we achieved two critical data security milestones: 

• Recertification with the Service Organization Control 2 (SOC 2) under the Statement of Standards for Attestation Engagements 18 (SSAE 18) guidelines from the American Institute of Certified Public Accountants (AICPA)

• Certification by the Payment Card Industry Security Standards Council (PCI SSC) as PCI Data Security Standard (DSS) compliant

SSAE 18 certification is the most widely recognized information security standard, ensuring through an intensive audit that all connections and processes are in place to protect personal and confidential information. SOC 2 reports evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. In 2016, EFG was the first F&I provider to achieve SSAE 16 certification, the previous version issued by the AICPA, the body that establishes CPA auditing standards.

PCI Data Security Standards (PCI DSS) protect payment account data for merchants, service providers, and financial institutions throughout the payment lifecycle, removing the incentive for criminals to steal it. Specifically, PCI DSS contains a set of requirements based on collaboration between major card brands including American Express, Discover, Mastercard and Visa, to prevent payment data breaches and payment card fraud. Companies achieving certification deliver a higher standard of security for personal confidential information and compliance with federal, state, and local regulatory requirements.

These certifications are important tools that our clients rely upon to establish the most secure, efficient business processes. Do your business partners and service providers offer the same level of security? Maybe it’s time to ask!