Comment: Contactless Payments – Retailers Must Learn to be More Secure in 2013

MacLeod says retailers must put security measures into place now to prepare for accepting mobile payments
MacLeod says retailers must put security measures into place now to prepare for accepting mobile payments

When sensitive information is misused or compromised, organizations not only face monetary penalties but loss of customer trust and loyalty. Because brand reputation is the retailers’ most valuable asset, it can be devastating. Ask TJ Maxx if you don’t believe me. With the way consumers pay continuously evolving, how do you keep up and remain secure?

Retailers realize that customers have more shopping choices today in both online and physical storefronts. To attract and retain customers, they have adopted more integration in delivery of loyalty programs, merchandising and marketing. Evolving payment technologies are the latest weapon that can be deployed in the battle for customers, giving retail merchants the freedom to craft the type of experience and relationship they want with their customers – both online and in brick and mortar locations.

Easier Ways to Pay

EuroPay, MasterCard and Visa (EMV) smart cards, more commonly referred to as ‘chip and pin’, were introduced in the UK and Ireland in 2004 in an effort to tackle fraudulent transactions. While EMV technology helped reduce crime at the register, when it came to telephone, internet, and mail order – known in the industry as card-not-present (CNP) fraud – the figures were still growing.

In an effort to combat this trend, a three-digit number on the back of the card, below the magnetic stripe, was introduced. With many guises – the card security code (CSC), card verification data (CVD), card verification value (CVV or CVV2), to name just a few – is meant to afford the retailer and cardholder additional protection by ensuring the person has the card in their possession.

Then, in 2008, RFID (radio-frequency identification) meant credit card transactions could go contactless. Instead of physically putting the card into a terminal and entering their PIN, users could simply wave the card near the reader and payment of £20/$32US or less would be automatically taken. It’s fair to say that uptake of this option has been slow to date – both from consumers and merchants alike.

However, today we’re on the cusp of a very different hill. NFC (near-field communications) enables customers to use their smartphone to make purchases. A ‘secure element’ chip provides similar functionality for a mobile phone as the EMV chip does for credit cards. Thirty million NFC handsets were sold in 2011, with projections to grow 87% annually to 300 million in 2016.

The user simply touches their phone to a NFC point-of-sale (POS) terminal to complete the transaction. In addition, NFC mobile phone payment systems can also be used for online transactions. Because they are connected to the internet, and are software based, they can generate single-use codes for online merchants.

Launched in the UK in April 2012, the Barclaycard PayTag is a NFC credit card sticker that users can attach to their handsets, or any other item, to complete transactions. In August 2012, Mastercard and Everything Everywhere revealed they had signed a five-year deal, which included the announcement that the two companies were behind Orange’s Quick Tap service. Then, in September, Orange revealed it had joined forces with Barclaycard to allow Samsung Galaxy S3 owners to make contactless payments using the firms' Quick Tap service.

The advantages of going contactless speak for themselves – both for merchants and consumers. Upgrading POS terminals is costly, but once upgraded it may be several years before it occurs again.

Remaining Secure Is not as Hard as you Think

Underlying these advances is IT infrastructure that manages extensive financial, customer and mission-critical business data. These systems must comply with industry-mandated security requirements if retailers are to avoid high-profile breaches and the repercussions they bring.

PCI DSS compliance is an important component in protecting the security of customers’ transactions. Through incentives, PCI is encouraging merchants to employ encryption through their entire transaction process. What are now incentives will be requirements soon.

Complexity Made Simple

To ensure compliance with PCI DSS standards, the management of encryption keys and security certificates is essential. With mobile devices and supporting infrastructure leveraging security certificates to ensure solid authentication and encryption, this is causing an exponential growth in the number of certificates needed in retail.

PCI DSS compliance requirements apply specifically to the use and proper management of SSL certificates and the private keys they rely on to ensure protection of data in transit. Effective encryption management results in a reduction of downtime, improves security of sensitive and often regulated customer information/card data and enables timely response to problems, all resulting in increased customer satisfaction. There are eight steps to enterprise key and certificate management (EKCM):

  • Discovery – after all, you can’t manage certificates if you don’t know where they are.
  • Submit a certificate signing request (CSR) to either an external or internal CA (certificate authority).
  • Make sure certificates are correctly installed, configured and working properly.
  • Use your inventory system to monitor important events, such as impending expiration dates.
  • Notify responsible parties in time to replace soon-to-expire certificates, or certificates that have inadequate key lengths, weak algorithms or were issued by a compromised CA (a condition that requires immediate notification).
  • When responsible parties receive notifications, they must remedy the issues that engendered them.
  • Reporting to demonstrate compliance.
  • Revoke expiring certificates that you’re replacing, or that compromised CAs have signed, so they don’t become targets for hackers.

Simple, yes? The problem is that manual approaches to SSL certificate and encryption key lifecycle management are difficult due to their proliferation throughout the enterprise. Automation of security management ensures more cost-effective compliance and deployment while reducing the risk of customer data exposure and subsequent loss of customer trust.

The use of contactless payments is set to explode over the coming years as both retailers and customers embrace the ease and immediacy NFC provides – it is up to retailers to put measures into place now that ensure data is kept under lock and key.

In the hyper-competitive retail environment, the question is not whether you should implement automated certificate and key lifecycle management, but when. Do you want to be reactive after a major website or transaction server goes down, or a data breach scares your customers away and tarnishes your reputation? It’s better to act now than to repent at your leisure.


Calum MacLeod is director, EMEA, for Venafi

What’s Hot on Infosecurity Magazine?