Often the newest security culprit for merchants of all sizes is the introduction of mobile devices for point of sale (PoS) or apps for customer m-commerce, along with more connected machines, like kiosks. And there is a significant benefit to this: mobile and cloud technology has streamlined the shopping experience and in theory has resulted in happier customers and a more productive workforce. But while IT is constantly evolving, security must evolve, and often times much more rapidly than the devices they are tasked with protecting.
"The retail storefront has gone through many changes over the last decade, but one thing that hasn't changed is that customers are looking for a seamless and positive shopping experience," said Greg Buzek, president at IHL Group, which with McAfee conducted a survey of senior retail and hospitality executives to discuss their strategies to meet PCI compliance and security for their retail systems. "Customers want to be able to buy, fulfill and return anywhere. When done right, the introduction of mobile devices within the store can help enhance the customer experience but comes with expanded risks."
As a result of these changes in retail, two significant events have occurred: the increased sharing of information among more and more types of devices (with either LAN or wireless connections), and the need to be able to share information wirelessly within the store.
The study revealed that retailers do have a good understanding about PCI compliance, but they struggle when the amount and variety of store systems increase to provide the proper security and compliance management. On average, only 22% trust the PoS system manufacturer to provide security. Meanwhile, there's the advancing sophistication of the criminal element looking to compromise retailer systems along with ever-evolving PCI compliance requirements. Already, retail makes up 45% of data breach incidents, an earlier report found.
The ability to tightly manage the enterprise is a big driver in managing security and controlling costs, according to McAfee and IHL Group. Security confidence can be closely tied to the device variability within the store, and increasing the number of devices is a key driver around introducing significant complication around the ability to secure the store environment.
"The retail storefront has undergone significant changes to deliver convenience and speed to the customer," said Tom Moore, vice president of worldwide embedded sales at McAfee, in a statement. "Data breaches are not new to this industry, but the expanded footprint of systems like kiosks and digital signs to the mix is adding complexity to the environment. This research validates that the security concern is real and that retailers need to provide a secure experience for their customers. This is an opportunity for point of sale manufacturers to not only relieve the burden from retailers and solve the security challenge, but also enables manufacturers to provide a high valued product with built in security as a differentiator."
An ancillary finding in the report is the fact that whitelisting is growing in awareness with 31% of the respondents including this in their security strategy for PoS systems. In the category of retailers that have more than $1 billion in revenue, there is an equal split amongst retailers using a whitelisting approach as compared to anti-virus. In those with over $5 billion in revenue, the difference between the two approaches widens significantly, with more choosing a whitelist strategy compared to the antivirus strategy. "This data clearly suggests an ongoing strategy change around securing POS systems," the report found.