By Michael Kiss, Verizon Business global security consultant
Business boundaries are no longer defined in terms of physical space. The increasingly ‘extended’ enterprise has introduced new security concerns. Retailers are opening their networks and data to partners, suppliers and mobile workers, rather than containing information and securing the perimeter. T he objective behind this new business model is flexibility and agility – and eventually, competitive advantage. This openness presents new risks and a greater need to both understand where vulnerabilities lie and develop strategies to secure sensitive data, identities and retain customer confidence.
As always, the protection of client data is critical to the success and reputation of any merchant that is capturing and transmitting data to complete a transaction. Faced with an always-on communications environment, led by affordable mobile devices such as mobile phones, smartphones and tablet PCs, the usage of mobile commerce is on the increase. The power to purchase goods and services over a mobile device extends the potential revenue of a retail store further than merchants could have imagined even as few as five years ago. But with this new brand power comes increased responsibility — for all parties involved.
Too many consumers take for granted that any application downloaded or pushed to their mobile device ‘must be safe’. They forget that the device is just as vulnerable to threats as an unprotected computer on the Internet. Applications that promise ‘faster online check-outs’ can just as quickly expose both consumers and retailers to new threats. Importantly, a device is not secure unless it is kept secure. For consumers, loading credit card numbers, PINs and passwords onto one device saves time, but then not utilising a password to lock/disable the device, is similar to writing all of this sensitive data on a note and displaying it for all to see. Quite literally – lose the device; lose the data.
Security is everyone’s responsibility
Security must be considered as an essential requirement, from the beginning of the development and deployment of any application or mobile tool, then throughout the lifecycle of the storage and transmission of sensitive data. It is not just something to be implemented after an application has been released and data subsequently compromised. Mastercard Worldwide estimates that millions of dollars are lost each year due to fraudulent use of payment cards , highlighting the severity of this issue.
For software developers and device manufacturers, building security into these consumer solutions and devices is critical. For merchants, the growth of web-enabled devices has provided an opportunity to tap into further revenue streams – to a large degree, driven by mobile commerce. Consumers are now used to an always-on-demand environment and are using mobile technologies to make the shopping experience easier. However, they nonetheless still expect the same level of interaction and consistency in the customer experience that they receive from retailers, regardless of their chosen channel.
Always-on communications need always on security
Developing a secure mobile commerce strategy is critical to offer consumers in the rapidly evolving mobile payment landscape an enhanced mobile web experience. This also offers the retail industry a challenge to prove that it can self-govern and regulate itself to truly protect consumers.
Collectively, industry experts from the wireless carriers, device manufacturers, and key groups including NRF, ARTS, RILA and the PCI Security Standards Council could (and should) work together to improve security for mobile devices. So much is at stake for all parties involved; the speed of technology could outpace the safeguards put in place to protect the new payment landscape. It is therefore important that manufacturers of mobile payment acceptance solutions and merchants understand their responsibilities, taking the necessary precautions to keep cardholder and sensitive account data secure, by making security a top priority.
Individually, by aligning with an experienced security vendor, such as Verizon Business, retail organisations, their partners and suppliers can put measures in place to help protect revenue, brand credibility and reputation. By achieving PCI-DSS compliance, locking down their networks and having a business continuity plan in place, organisations can help ensure that their customers’ data as well as their own sensitive information is secure however it is accessed, stored or transmitted.