 | Issue: | Asia-Pacific I 2014 |
| Article no.: | 12 | |
| Topic: | Best practices for securing your online retail presence | |
| Author: | Carole Murphy | |
| Title: | Director | |
| Organisation: | Voltage Security | |
| PDF size: | 229KB |
About author
Carole Murphy currently serves as a Director for Voltage Security, where she is responsible for developing market strategy for the SecureData product line and related solutions, including go-to-market planning, product communication, product positioning and market awareness.
Prior to joining Voltage, she was the director of product marketing for the entertainment business unit at Rovi Corporation (formerly Macrovision), delivering content protection solutions to major independent film studios while leading the brand and web marketing team. She has over 25 years of experience in product marketing and market intelligence, spanning the security, networking and IT service management industries.
Carole Murphy has a Bachelor degree of Science in Commerce, majoring in Business from the University of Santa Clara, Santa Clara, CA.
Article abstract
Rising mobile-commerce provides new marketing channels but could lead to disastrous damaging of brands and consumer trust. Coping with peaky transaction volumes is assisted by having capacity on tap in the Cloud, but security must be provided for the confidential data flowing in and out of the company. Security of Cloud data is not enough. By contrast, on-premises security solutions envelop the end-to-end process, protecting data in transit, as well as ‘at rest’. They also allow retaining control of the check-out process in-house, enabling full purchasing analytics to be produced, to assist branding. Look for stateless tokenization and stateless key management for safe identity and credit details, without accumulating large databases and proliferation of point security solutions.
Full Article
It is a known fact to retailers that e-commerce is driving revenue growth by extending the reach of business to buyers anytime and anywhere. At first, it was thought that mobile smartphones and tablets – a subset of e-commerce – would only have a negative impact on in-store sales, with behaviors such as ‘showrooming’, where people go to a local business, find the merchandise they want and then use their smartphone to find the same items somewhere else for a lower price. However, the most recent studies turn this idea on its head. They quantify not only purchases made directly on mobile devices, but also purchasing behaviors that are influencing in-store sales.
A report on “How In-Store Shoppers are Using Mobile Devices” features the results of a study that was performed in 2013 in conjunction with The Google Shopper Marketing Agency Council and M/A/R/C Research . Examining consumer buying behaviors has revealed that “smartphone users buy more in brick and mortar stores than shoppers who don’t use mobile devices”. Furthermore, over the next three to four years, direct mobile purchases are projected to have doubled the CAGR of e-commerce sales. The eMarketeer estimates that “by 2017 m-commerce sales are expected to…reach over US$113 billion which would be a CAGR of 28%”. The bottom line is that, with growth of both mobile influence factor and mobile payments, m-commerce and e-commerce are imperatives for retailers.
Retailers business goals are to harness disruptive technologies to transform the business, address consumer expectations for information and inventory, deliver the best consumer experience through and beyond point-of-purchase and capitalize on the immediacy of m-commerce and e-commerce to capture sales anywhere, anytime – and in-store.
IT must enable the goals of the business. E-commerce and m-commerce are critical channels to gaining revenue, just as they are ways to enhance brand and gain greater customer loyalty. For IT, that means effectively maintaining security and compliance, since the very same channels could lead to immediate and even catastrophic undoing of brand value and consumer trust. Top IT challenges are to secure consumer data, maintain compliance to security and privacy regulations and provide buyer behavior data back to the business.
Regarding security, cybercriminals have become highly adept at thwarting existing IT security defenses as well as exploiting any weak links in the payments ecosystem. Advanced Persistent Threats (APTs) are increasing, and recent breaches have focused a spotlight on growth in Card Not Present (CNP) fraud and hacking. Conventional data protection solutions protect sensitive corporate and customer data ‘at rest’ in databases but not in transit or as it is ‘consumed’ and analyzed. Conventional ‘container-based’ data protection solutions tend to proliferate as point solutions–exacerbating IT management and maintenance challenges and costs – and ignore the reality that business has evolved today.
With trends like m-commerce, Big Data and cloud computing, the traditional walls of the IT environment are falling. Data moves inside and outside the business, which needs increased access to data for analytics and customer insights. Point solutions are problematic in that they can become very short-term. IT needs ways to protect sensitive data that can be consumed and not just stored in a container, that is, protection that is data-centric and travels with the data.
Security technologies like SSL only protect consumer data while it is ‘in the pipe’, but leave credit card numbers in the clear as data transits from the browser through web and application tiers and upstream IT systems and networks. With the increased sophistication of cybercriminals, IT must find ways to close these security gaps.
Tokenization, which is used as a way to replace credit card numbers with substitute values or tokens, is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Digital Security Standard (PCI DSS) guidelines. However, companies that have implemented first-generation or conventional tokenization solutions are finding that they don’t scale well and can’t support business growth, primarily because conventional tokenization solutions have a token database central to their architecture. Tokenization databases which grow over time, become increasingly costly to manage, introduce data integrity issues, and become a high-value target for data breach. There are new approaches available to enhance data security and reduce PCI audit scope while still maintaining control over payment processes.
Maintaining compliance with data security and privacy regulations is an ongoing effort, with ever-increasing costs. Applications and systems may be compliant with PCI guidelines, but as long as they hold customer credit card numbers in the clear, they are in scope for PCI audit. The more of these applications and databases there are, the greater the complexity and cost to maintain compliance and to undergo PCI audit and remediation.
Moreover, compliance doesn’t necessarily equate to security. There are many examples of data breaches in businesses that actually were compliant at the time of the breach. In that case, it’s critical, for Safe Harbor protection of the business, for IT to be able to show published security proofs of standards-based protection techniques, supplied by the data security vendor, along with published independent third-party validation of the strength of the security solution. Finding technology that will mitigate risk and raise the overall security profile of the company is a major, but not insurmountable, challenge for IT.
Planning for Cyber Monday, Black Friday and other retail business peaks is difficult and expensive. One of the great advantages of cloud Infrastructure as a Service is that IT could instantly order more web server capability to handle business peak times–and forego the expense of maintaining that infrastructure in-house throughout the year. But cloud services don’t offer effective security for highly sensitive and valuable customer data, so many businesses hesitate to use the Cloud in spite of the cost-savings potential and added flexibility. In fact, data-centric protection solutions can solve that dilemma too.
Best practices for securing your m-commerce and e-commerce data and systems
1. Examine the needs of the business–are you embracing m-commerce now or in the near future? Identify protection solutions that will de-identify customer credit card numbers (and other sensitive Personally Identifiable Information (PII)), as that information is entered into the browser, and travels with the data all the way to your secure back-office systems. This approach will augment the security provided in your network by solutions such as SSL.
2. Make sure you can provide customer purchase behavior data back to the business. Don’t accept solutions which pass the online buyer to another outside party or service during the critical check-out process. Serve your marketing organization well with a fully branded purchase process, and keep the web analytics team happy by maintaining full visibility into the customer experience at checkout.
3. Forego point security solutions for data-centric protection. You can effect comprehensive change over time and across the business by selecting solutions that work with virtually all platforms and languages. Data-centric security solutions will enable use of cost-saving technologies like cloud computing, with secure premises-based stateless key management.
4. Introduce tokenization to address PCI compliance, but avoid solutions using a token database in the architecture. Identify the solution that will remove the maximum number of applications and databases from audit scope. Expect as much as 80% audit scope reduction. Look for stateless tokenization–and be sure to ask for published security proofs, documented standards-based techniques and published third party validation of strong and proven security techniques. Without proof and evidence you and your QSA can review, the solution cannot be used for PCI DSS compliance.
5. Consider other kinds of sensitive data such as social security numbers, health information, account numbers, and other PII. Will the same data protection framework secure all kinds of data whether structured or unstructured, and for internal corporate web forms or customer transactions?
6. If you have mainframes in your environment, identify solutions that will tokenize customer data natively, without “leaving the box”. This is a superior way to not only protect that data now, but also set the stage for potential use of Hadoop or other Big Data ecosystems. You can tokenize sensitive customer data before it enters Hadoop for Big Data analytics and count on high-performance capabilities and scalability.
7. When assessing data encryption solutions, insist on standards-based, recognized NIST (National Institute of Standards and Technology) format-preserving techniques ONLY. Standards-based format-preserving encryption enables the secure use of protected data for analytics and sharing inside and outside the business, and enables the use of cost-saving technologies such as Cloud services.
What are the needs of the business? The evidence is in. M-commerce and e-commerce are critical to enabling retail businesses to thrive now and in the future. With proper data protection solutions in place, IT and the Security and Risk professionals in the organization can rapidly enable businesses to embrace the technological shifts already underway in consumer buying behavior while, at the same time, securing the business and protecting its brand and reputation.
