Risk
8/14/2013
01:28 PM
Kevin Casey
Kevin Casey
Commentary
50%
50%

How One SMB Manages Customer Identity Data

Armed Forces Eyewear sells discounted gear to military personnel and their families. Here's why you won't hear customers grumble about their personal data and online privacy.

Some customers don't mind if you run a behind-the-scenes check on their personal information. It helps if you're giving them a nice price break as a result.

In a sense, Armed Forces Eyewear has it easy when it comes to handling customer data. The online retailer's customers, primarily military personnel and their families, rarely grumble about verifying their identities -- especially if their military status earns them a discount or other benefits.

AF Eyewear, a division of Frames Direct, sells eyewear at up to 30% off retail price -- but only to active-duty military personnel, reservists, and their family members. The site recently expanded its eligible customer base to include veterans and first responders such as police and firefighters. Transactions are completed only after a back-end database check -- and in some cases an extra paperwork request -- verifies that the customer is who they say they are. In an age when a Facebook privacy tweak causes minor mayhem online, AF Eyewear's shoppers don't seem to mind the process.

"We haven't gotten a lot of negative [privacy-related] feedback," said marketing manager Lauren Purcell in an interview. Purcell, whose spouse serves in the military, noted that it's long been common for military families to show extra identification when shopping offline if it gets them special pricing and other perks. That habit has translated for online shopping and other Internet use. "It's kind of an accepted practice in the military world: If you're going to get a discount, you've got to step up to the plate and prove it. Most people don't have a problem with that."

[ New technology can thrive even in old-fashioned businesses. Read How To Innovate In A Low-Tech Industry. ]

It's a sunnier side of the often stormy environment of online privacy, consumer data breaches, social media scams and other information security matters.

Military culture and a good deal on a pair of Ray-Bans or Oakleys aren't the only factors that keep customer privacy concerns to a minimum at AF Eyewear. The company doesn't use more than the customer's name and date of birth to verify current and former military status. According to Purcell, this is a welcome change from the not-so-distant days when military ID cards included social security numbers in plain view.

Most shoppers probably don't even notice the verification process, which checks customer information against government databases, as it happens. AF Eyewear once partnered with the online arm of the Army & Air Force Exchange Service to authenticate military status. It recently began using the SheerID verification service, in part so it could broaden its audience to include veterans and first responders. The latter group, which includes law enforcement and other emergency personnel, must complete additional paperwork at the time of purchase. That can take as long as 30 minutes, a lifetime relative to the one-click shopping expectations fostered by Amazon Prime and similar online services. Even then, though, Purcell said AF Eyewear customers don't seem to mind.

AF Eyewear doesn't store any sensitive customer data, another asset in managing privacy concerns. The company's decision to expand its customer eligibility rules and corresponding verification process was a major requirement in its build-versus-buy decision. "That was our biggest issue if we were going to develop something in-house," Purcell said. "We didn't want to [store] that information."

As with most e-commerce sites, fraud and other security matters are top of mind. Purcell credits FramesDirect, AF Eyewear's 60-person parent company, for strong fraud prevention protocols. But the military ID check itself keeps scammers at bay.

"With AF Eyewear, we don't experience much fraud because we are going through that validation process," Purcell said. "We've had a few cases here and there, but it's not as prevalent as it is in our FramesDirect.com site [which sells to the general public]."

It also helps that AF Eyewear doesn't ship internationally; that alone slashes fraud dramatically. When its customers are deployed overseas, they typically use an APO address via the military mail system.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/15/2013 | 11:11:09 PM
re: How One SMB Manages Customer Identity Data
How do you think this translates to more-general audience? As you note, military families may be more open to showing ID.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.