As retailers adopt omnichannel strategies to personalize the shopping experience, protecting customer information has become increasingly critical and complex. The benefits of effectively leveraging digital, mobile and IoT platforms are immense, but retailers must also assess their security posture, their risk tolerance and make appropriate investments in securing customer data.
In addition to adhering to the Payment Card Industry Data Security Standard (PCI DSS), a set of policies and procedures designed to optimize the security of card transactions, it’s crucial for retailers to recognize the many and various entry points attackers can use to commit fraud, including those that might not be immediately considered. For example, a loyalty program may not require collection of payment details, but personally identifiable information (PII) associated with the program – including names, emails or passwords – present an attractive target to hackers. POS systems are another target, as are certain components of in-store infrastructure, including on-premise Wi-Fi and access points that plug into the Ethernet and could potentially be compromised by someone with a laptop.
Retailers must think about how data is transmitted and stored, as it’s essential that they protect applications that touch customer information at any level.
Responsibility of Technology Vendors
A sound retail security strategy starts with the right technology platforms. Retailers must make sure they’re working with technology vendors who have a clear understanding of the core security components of the retail business. Although it doesn’t always happen, it’s critical that those who provide retailers with their customer-facing technology platforms perform security assessments on them before they’re shipped out to ensure vulnerability risks are reduced. Vendors should make sure the platform doesn’t plug into other systems unnecessarily, and that data such as names, addresses or phone numbers isn’t left unencrypted.
There are also many access points to retail technology networks that hackers can potentially tap into, including in-store Wi-Fi. Retailers must ascertain whether it’s possible for outsiders, such as vendors, to retain access to their network, and must work out how to protect themselves against this outside access, such as by implementing strong two-factor authentication.
Managing Customer Data
In terms of customer reach, retailers are constantly trying to attract new customers and retain existing ones. To provide shoppers with more relevant information, many retailers have put a huge effort into trying to acquire more detailed customer data to better understand their demographics. Protecting this information through encryption and strong access controls is essential.
Another headache for retailers is disposing of customer data once it’s no longer useful. Retailers must have a data retention policy, as well as the right security mechanisms, in place to ensure that the data has been successfully removed, because there’s a risk to the business if this information is backed up and not completely wiped from the system.
Mobile POS and Mobile Payments
Mobility is another huge factor impacting the retail security landscape – with the increased use of mobile devices by retailers as point of sale terminals, and by consumers to make mobile payments.
Mobile POS systems make it easier for associates to perform transactions in a wide range of situations. Newer systems will also accept transactions using EMV chip cards, ensuring retailers comply with the new mandate. But in adopting mobile POS terminals, retailers must also put measures in place to ensure the security of the the new platform and the mobile device itself. Device management tools that allow granular customization or data separation can help to address these risks.
Mobile payments hold great promise in terms of security, since users must present their phones and provide a secure challenge and response to make a payment. This opens up opportunities to leverage advanced biometric authentication technology, such as fingerprint or iris scanners on the device. With technology like Samsung Pay, customers can make transactions via NFC, as well as through terminals with magnetic-stripe readers, simply holding their phone to the terminal and authenticating.
For security, Samsung Pay’s system architecture features several key elements to protect transaction information from being compromised by malware, hackers or a data breach. Most significantly, payment tokenization technology masks card numbers, ensuring that actual card information is not made available to merchants as part of the transaction. Only tokens are stored on the device – no credit card details.
Though still a relatively new technology, mobile payments are available at some 90 million merchants around the world, and growth is steady. There are already 350 or so banks where customers can leverage their credit or debit card on Samsung Pay.
Due to the multiple consumer touch points, networks and communication mechanisms that could introduce a security vulnerability, the retail sector is becoming a major target for attackers. The benefits of adopting these new mobile-first technologies are significant, but the groundwork must be done to protect sensitive customer information and the retailers’ own reputation.
Learn more about how to provide your customers with a convenient and secure POS experience by visiting our mPOS solutions page.