|Secure payment card technology at the point of sale and a strong authentication are effective defences against data security threats|
Data security is one of the top concerns to a retailer’s reputation and its customers’ privacy. The fall-out can be catastrophic, and organisations must understand the threat and take all necessary steps to protect their assets and customers. The challenge has become more complex with the explosive growth in mobile device usage throughout the retail enterprise and on the store floor, including notebooks, tablets and smartphones that increase vulnerability to ever-evolving threats.
An effective defence against these threats requires numerous elements, including more secure payment card technology at the point of sale (POS), strong authentication that balances security with a convenient user experience, and a layered security strategy in the enterprise IT infrastructure that ensures appropriate risk mitigation levels when and where required.
Securing retail payment operations – magstripe vs. EMV cards
In its 2015 Global State of Information Security Survey (GSISS), consulting firm PwC reported that “... assaults on major retailers reached epic levels in the past year, resulting in the theft of hundreds of millions of customer payment card records, a rash of litigation, and a rush to adopt a new payment card standard in the U.S.”
There are numerous threats to large retail payment operations. One of the most glaring is the use of magstripe payment cards at the point of sale. Magstripes contain a static card-verification value (CVV) that is easily intercepted by malware-infected POS systems and cloned with cheap readers. In contrast, Europay Mastercard Visa (EMV) cards store all payment information in a secure chip, use issuer-specific personalisation keys, and authenticate using cryptographic standards. They also replace the magstripe’s static CVV code with a dynamic security code that cannot be used to create a counterfeit card. With widespread adoption around the world, EMV cards are now making their way to the U.S.
|Seven in 10 respondents to a survey by HID Global said increased mobile use by employees and customers significantly or moderately raised their risk profile|
Multi-factor authentication systems for data security
Moving deeper into enterprise operations, another big security risk arises from the reliance on simple passwords. When hackers steal an employee’s user name and password, they can then often move through the network undetected and upload malware programs to a retailer’s POS system, where it has been relatively easy to steal/capture card data and create cloned payment cards. Organisations should protect systems and data through strong authentication that relies on more than just something the user knows (passwords.) There should be at least one other authentication factor, such as something the user has (i.e., a computer logon token) and/or is (i.e., a biometric or behaviour-metric solution).
Layered IT security strategy for real-time threat detection
Retailers also expose themselves to risk when they don’t employ a layered IT security strategy. Best practices start with authenticating the user, then authenticating the device, protecting the browser and application, and finally authenticating the transaction with pattern-based intelligence for sensitive transactions. Implementing these layers requires an integrated, versatile authentication platform with real-time threat detection capabilities. This platform, combined with an anti-virus solution, provides the highest possible security against today’s threats.
To make this strategy work, however, user authentication must not only move beyond passwords, it also must be as convenient as possible while simultaneously addressing the threats posed by mobile devices. Now, with the advent of a mobile “tap-in” strong authentication model, retailers can solve the mobile security challenge while providing a faster and more seamless and convenient authentication solution than possible with dedicated hardware, one-time passwords (OTPs), display cards and other physical devices.
|If tap-in authentication is used responsibly with secured mobile devices, they can access everything from inventory control to payment systems, with a simple tap of their ID card|
Maximising retail security with policies & best practices for mobile device usage
Mobile devices have become one of the most dangerous security assault vectors. HID Global recently released a study it commissioned on the increased security risks of escalating mobility usage. In this survey of 140 registered members of the TechTarget Web communities for IT professionals, 87 percent said they have Bring Your Own Device (BYOD) policies but only 54 percent said this policy is formalised, with the rest using an ad hoc mix of user-driven practices and a loose collaboration between users and the IT team. Seven in 10 respondents in HID Global’s survey said increased mobile use by employees and customers significantly or moderately raised their risk profile. It was noted that many users brought jailbroken phones into the workplace, leaving IT staff with the struggle to ensure security with best practices are in place - or perhaps any security at all.
These issues are echoed in a PwC GSISS survey, which discovered that 29 percent of retailers experienced security threats as a result of mobile devices – but only 51 percent have a dedicated mobile security strategy in place. The report said this challenge is further compounded by the jump in BYOD policies which – if unmonitored – pose further threats to corporate networks.
It is critical, then, that mobile devices be used in a secure manner, which can only happen if security does not preclude a convenient user experience. Mobile users seek to maximise their productivity wherever they are, and this is especially true on a busy retail floor. Any security procedure that hampers this productivity makes mobility less useful or, worse, might be bypassed, leading to dangerous security exposure.
Effective retail security solution - tap-in authentication
This all changes with the tap-in authentication model. With tap-in authentication, retailers improve service and enhance security by enabling sales staff and other employees to access the information they need by tapping a smart card to their laptop, tablet, smartphone or other Near Field Communications (NFC)-based mobile device. With this approach, users can access everything from inventory control to payment systems, directly from the store floor, all with a simple tap of their ID card.
A PwC GSISS survey discovered that 29% of retailers experienced security threats as a result of mobile devices – but only 51% have a dedicated mobile security strategy in place
Tap-in authentication makes it easier for retail and other organisations to secure corporate cloud applications, data and servers without having to issue passwords or tokens every time someone needs to access the network. At the same time, the user experience is also improved – employees can get the information they need from the mobile device of their choice, using the same smart card that opens doors.
Using tap authentication is a simple, three-step process. First, open a browser on the device, and type the URL to the desired application. Next, enter a corporate username and password. Finally, tap the access control card to the back of the mobile device or tablet to provide the second authentication factor. After the card has been tapped to one of these devices to authenticate to a network, the OTP is no longer usable. There are no additional tokens to deploy and manage, and users have only one item to carry – their smart card – and no longer need to remember or type a complex password.
Retailers will continue to face increasing security challenges. The solution is a combination of more secure payment card technology, a layered enterprise security strategy, and secure user authentication solutions that embrace the convenience of mobility while eliminating its threats. With the latest tap-in authentication solutions, the same card or badge that opens doors for authorised users can be tapped to the mobile device of their choice for secure access to cloud applications, data and web services, without having to remember or type in passwords or codes.