In-Store Mobility: Secure and Safe, with Plenty of Upside

5/6/2014
Wireless connections in the store are altering the way we shop — a trend that will continue as retailers and apparel brands successfully deploy in-store mobile POS technology in their brick-and-mortar locations. But recent data breaches at some high profile retailers have raised questions about the security of in-store mobile technology: What do these breaches mean for mobile POS? Should retailers wait before deploying mobile solutions? How can retailers make their mobile implementations more secure for their customers’ and their own data?

Transaction security has grabbed headlines (but mobile hasn’t been part of the story)
First, it’s important to note that the retail security breaches that have garnered so much media attention haven’t involved mobile POS solutions — but they have raised questions about mobile security. For many shoppers, mobile POS is a new way to complete a transaction. If a shopper is already concerned about transaction security, the prospect of a completely new and unfamiliar way to pay may amplify those concerns. The same may be true for the retailer considering a mobile POS deployment.

The fact is, though, mobile POS can be as safe as any other transaction technology. Each day, shoppers and retailers complete thousands of secure transactions on mobile devices. Those success stories may not grab the headlines, but they are evidence of a growing retail trend. A recent RIS/Gartner study1 identified a sharp uptick in retailers’ mobile adoption, with a 70 percent increase in the number of retailers who plan to add store-level mobile.

Growing momentum toward a more mobile retail experience
One of the likely reasons behind this growing momentum is the flexibility mobile technology provides retailers. It frees associates to provide a more personalized and compelling experience by engaging with customers anywhere in the store, closing transactions on the spot. In this new paradigm, stores become a place to connect with customers — and not just a place to showcase merchandise. Retailers who choose to wait for mobile POS deployment due to security concerns risk losing market share to those who already have a running start.

Some mobile security best practices
So what can retailers do to make sure that mobile transactions are as safe as other methods of payment? The basics include:
  • Encrypt card data at swipe – Sensitive customer and card data often moves through a network before it is encrypted. Retailers should explore ways to encrypt data at the point of swipe — before it advances through the network — to limit malicious access.
  • Secure the wireless network – It should go without saying a secure wireless network is the starting point of secure mobile POS. In other words, the network for your mobile POS devices shouldn’t be the same network you use to offer shoppers free Wi-Fi.
  • Implement point-to-point encryption AND/OR tokenization – Tokenization and encryption are distinct but similar tactics for protecting sensitive data, and the debate continues as to which offers retailers the best combination of security and viability. In fact, some industry experts and solutions provider offer a hybrid approach that combines both methods.
The PCI Security Standards Council has published an FAQ2 regarding point-to-point encryption, and stipulates that a PCI Point-to-Point Encryption (P2PE) solution must include all of the following:
  • Secure encryption of payment card data at the point of interaction
  • P2PE-validated application(s) at the point of interaction
  • Secure management of encryption and decryption devices
  • Management of the decryption environment and all decrypted account data
  • Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.
A recent EKN research report3 outlines some additional guidelines retailers should consider for their own mobile security policies:
  • Establish the minimum security baseline any device must meet to be used on the corporate network, including Wi-Fi security, VPN access, and add-on software to protect against malware.
  • Protect data and prevent loss via data encryption and containerization of corporate data; or a virtual desktop infrastructure (VDI) application to allow access to sensitive or confidential data without storing the data on the device.
  • Enable visibility of all the devices used by an employee on the corporate network and beyond.
  • Use a hybrid approach for application management that includes using native mode (local data on device, offline possible, native device experience) for many standard business applications and virtual mode (no local data on device, connectivity required, maximum security) for a subset of applications with stricter confidentiality or sensitive data requirements.
Mobile is here to stay for retailers – with good reason
The takeaway here is that security isn’t new territory in the mobile arena. The guidelines and solutions for secure in-store mobile technology are available, proven, and retail-hardened — and they’re continuing to evolve. With the advancement of mobile selling technologies and revised safeguards dictated by PCI DSS over the past three years, it’s safe to say the industry has successfully created a competitive market of available, secure mobile POS hardware, software, and implementation methods to choose from.

Retailers, merchants and shoppers all face a more mobile future as the omnichannel paradigm transforms the retail experience to make stores more relevant to consumers, which should be welcome news to every retailer.

3RIS Retail Technology Study 2014
Payment Card Industry (PCI) Point-to-Point Encryption Frequently Asked Questions for PCI Point-to-Point Encryption, August 2012
State of the Industry Research Series: Mobility in Retail, EKN Research 2014



Gregory Davis is vice president of product management for Starmount Inc.
X
This ad will auto-close in 10 seconds