Comment: Securing Mobile Commerce from Start to Finish

Tran says that, from start to finish, building security into consumer-based mobile applications and devices is critical to protect customer data (Image courtesy of ARphotography/
Tran says that, from start to finish, building security into consumer-based mobile applications and devices is critical to protect customer data (Image courtesy of ARphotography/

Business boundaries are no longer defined in terms of physical space. The increasingly ‘extended’ enterprise has introduced new security concerns. Retailers are opening their networks and data to partners, suppliers and mobile workers, rather than containing information and securing the perimeter, with the objective of business flexibility and agility – and eventually competitive advantage. This openness presents new risks and a greater need to both understand where vulnerabilities lie, and develop strategies to secure sensitive data, protect identities and retain customer confidence.

As always, the protection of client data is critical to the success and reputation of any merchant. Faced with an always-on communications environment, led by affordable mobile devices such as mobile phones, smartphones and tablet PCs, the usage of mobile commerce is on the rise. The power to purchase over a mobile device extends the potential revenue of a retail store further than merchants could have imagined even as few as five years ago. But with this brand-new power comes increased responsibility – for all parties involved.

Too many consumers take for granted that any application downloaded or pushed to their mobile device is safe. They forget that the device is just as vulnerable to threats as an unprotected computer on the internet. Applications that promise ‘faster online check-outs’ can just as quickly expose both consumers and retailers to new threats.

Importantly, a device is not secure unless it is kept secure. For consumers, loading credit card numbers, PINs, and passwords onto one device to save time and become more organized, but then not utilizing a password to lock/disable the device, is similar to writing all of this sensitive data on a note and displaying it for all to see. Quite literally – lose the device, lose the data.

Security Is Everyone’s Responsibility

Security must be considered an essential requirement – from the beginning of the development and deployment of any application or mobile tool, then throughout the lifecycle of the storage and transmission of sensitive data. It is not just something to be implemented after an application has been released and data subsequently compromised.

Visa Europe’s mobile acceptance security best practices represent a required first step, as well as an opportunity to take a deep breath and pause to confirm that the simplest steps for protecting client data have been taken.

For software developers and device manufacturers, building security into these consumer solutions and devices is critical. For merchants, the growth of web-enabled devices has provided an opportunity to tap into new revenue streams – to a large degree, driven by mobile commerce. Consumers are now used to an always-on-demand environment, and are using mobile technologies to make the shopping experience easier. However, they nonetheless still expect the same level of interaction and consistency in the customer experience that they receive from retailers, regardless of their chosen channel.

Always-on Communications Need Always-on Security

In order to offer an enhanced mobile web experience to consumers in the rapidly evolving mobile payment landscape, it is critical to develop a secure mobile strategy. This also offers the retail industry a challenge to prove that it can govern and regulate itself to truly protect consumers.

Collectively, industry experts from the wireless carriers, device manufacturers, and key groups – including the National Retail Federation, Association for Retail Technology Standards, Retail Industry Leaders Association, and the PCI Security Standards Council – should work together to improve security for mobile devices. So much is at stake for all parties involved; the speed of technology could outpace the safeguards put in place to protect the new payment landscape. It is therefore important that manufacturers of mobile payment acceptance solutions and merchants understand their responsibilities, and take the necessary precautions to keep cardholder and sensitive account data secure by making security a top priority.

Individually, by aligning with an experienced security vendor, retail organizations, their partners and suppliers can put measures in place to help protect revenue, brand credibility and reputation. By achieving PCI-DSS compliance, locking down their networks and having a business continuity plan in place, organizations can help ensure that their customers’ data, as well as their own sensitive information, is secure regardless of how it is accessed, stored or transmitted.

David Tran is an enterprise architect, Retail Solutions, at Verizon Business. Tran has over 15 years of combined professional experience in retail technology, retail business processes and retail IT strategy.

What’s hot on Infosecurity Magazine?