Companies that handle the personal information of their customers are always going to be attractive targets for hackers, and consumers are becoming fed up with e-mails warning that their data may be in the hands of strangers due to security breaches. DRM-free gaming digital distribution service GOG.com is trying to fight this by keeping the minimum amount of information about its customers on the servers. This approach means that customers have to input their information every time they want to make a purchase, but a survey the company sent to its customers showed gamers are willing to put up with longer checkout times if it means their data is safe.

We caught up with Trevor Longino, the head of marketing at GOG, to ask about this approach, and why a little inconvenience is the right decision.

This is not a new policy

Longino stressed that this policy isn't new, but the company wanted to revisit the issue due to the recent spate of sites getting hacked and the risk of personal information making it out to the wild. "We decided to talk to our consumers about financial data and personal information initially after the PSN security breaches happened. After a few months' prep, we created a user survey on GOG.com where we asked our user base a number of questions, including two that related to personal information security." The company wanted to find out if customers would rather have a simpler checkout system with stored credit card information and other personal details, a system that would benefit GOG by making it easier to buy games on impulse.

They received 18,768 responses to the survey, and the results were clear: 85 percent of respondents were happy with the checkout system, and 68 percent said they would rather GOG.com not even have the option of storing personal information. After reading through the comments, the company found that not one customer asked for a one-click system for GOG.com. There is a bit of a selection bias with these results, but the customers spoke loud and clear against a simple, but less-secure checkout system.

So what information is kept? According to Longino, their system only keeps account names, passwords, and e-mail addresses. "We keep our users' passwords encrypted more than once and stored securely, but the way we keep their financial information is even more secure than their passwords because we don't have it," he explained to Ars. "You can't steal data that we don't have, after all."

This is in contrast to most other online storefronts that seek to make buying content as simple as possible. After all, putting in payment information is a lengthy step to go through every time you'd like to purchase from a store. Longino said a one-click solution may lead to fewer abandoned carts, but with the customers speaking out so clearly against personal data being collected, he says there are no plans to begin collecting that information.

"As a marketer, I understand the kind of desire that companies may have to store that data. But as history shows us, it is easier to find exploits and get into company databases than we'd like," Longino said. "The people who designed the networks at Steam and at PSN are all very smart, they're all experts in their fields; but when you design very large systems, they're full of moving parts and sometimes gaps emerge in your protection from hacks."

The trick is to ignore the temptation of a simpler checkout process and eat a few lost sales in order to give the customers what they want. Longino said that the company is doing everything it can for security, but the goal is to make sure that even if the site's security was compromised, very little could be taken.

This isn't a change, it merely reinforces the strategy of having a less-convenient but more secure checkout policy at GOG, and the company now has data showing the customers support this approach. "I wouldn't really call this an ongoing experiment on our part. We asked our users if we should experiment with a change from our current policy, and the answer was clear," Longino said. "Unless we find a very strong reason why we should change this policy, I imagine it will remain. The interesting data that other digital retailers may want to take from this is whether they should try this experiment for themselves."