As consumers and retailers increase their use of mobile technology, questions remain about how prepared retailers are to secure sensitive consumer data processed via mobile devices, particularly at the checkout.
“The risk of breaches only increases as more personal digital devices are introduced into the workplace,” said Bill Bishop, chief architect, Brick Meets Click, and chairman, Willard Bishop, Barrington, Ill. “It’s hard to know how well prepared retailers are for the inevitable breaches, but my guess is that the majority are focusing their energy right now in other areas, which could lead to greater problems down the road.”
Security is a chief concern of the Merchant Customer Exchange (MCX), Dallas, a group of retailers developing a mobile platform for consumers that will incorporate payment and targeted offers. The retailers include Wal-Mart Stores, Target, Hy-Vee, Publix Super Markets, CVS/pharmacy, among others. “The MCX platform will employ secure technology,” said Mike Cook, corporate vice president and assistant treasurer, Wal-Mart, in a statement made when the formation of MCX was announced in August.
Read more: Isis Mobile Payment Starts in Two Cities
MCX has not yet elaborated on the nature of the technology it will employ, but merchants in the group believe the shift from mag-stripe readers used to process credit cards to a mobile platform will result in better security, said Jeremy Mullman, a spokesman for MCX. “The cost associated with fraud is not acceptable to MCX merchants, and they see this as a chance to improve on security.”
In addition to MCX, several other entities are vying to come out with a mobile payment platform that will appeal to consumers, including Google and Isis. So far, they have yet to address how to handle the 1% of transactions that result in chargebacks or disputes, said Walt Conway, manager at 403 Labs, Brookfield, Wis., a Qualified Security Assessor (QSA) firm. “When they address that, they’ll be true competitors to the established card brands.”
Conway is also concerned about potential security risks to consumers paying and redeeming coupons with phones that transmit data wirelessly. “When retailers put wireless capability at the POS, people sat in parking lots and intercepted the wireless signals,” he said. “I don’t want to see that experience repeated with the new technology. We will need encryption and key management to protect mobile payment and allow a positive customer experience.”
Bishop observed that outsourcing the responsibility for data security may make sense for retailers. “Ironically, the security capabilities of certain cloud-based resources are likely to be stronger than those that are driven primarily by in-house capabilities,” he said. “It is certainly worth investigating which of these is true about a retailers’ own operation.”
Read more: Retailers Confident of Data Security Says Report
He also advised retailers to plan how to recover and restore confidence after a breach.
Though not yet common in food retail, mobile devices are beginning to be used by some merchants as POS terminals to process transactions, sometimes in aisles or outside the store. But multi-purpose mobile devices such as phones or tablets are still waiting for payment applications to be approved by the PCI Security Standards Council, Wakefield, Mass., which oversees security standards for retail transactions involving credit cards.
In 2011, the Council declared that mobile payment-acceptance applications on multi-use mobile devices were not eligible for PCI compliance, and encouraged mobile developers to come up with applications that meet PCI’s payment application data security standards. “A general-purpose tablet is built for convenience, not security,” said Troy Leach, chief technology officer, PCI Security Standards Council. Meanwhile, PCI has guidelines on what a retailer should look for in a secure mobile device (See pcisecuritystandards.org.)
PCI standards don’t apply to a consumer’s mobile device used for payment, though “in the future we might look at it,” said Bob Russo, general manager, PCI Security Standards Council.
| Suggested Categories | More from Supermarketnews |
 |
|
 |
|