Best Practices For Securing Your Online Retail Presence

It is a known fact to retailers that online retail is driving revenue growth by extending the reach of business to buyers anytime and anywhere. At first, it was thought that mobile smartphones and tablets – a subset of e-commerce – would only have a negative impact on in-store sales, with behaviours such as ‘showrooming’, where people go to a local business, find the merchandise they want and then use their smartphone to find the same items somewhere else for a lower price.  However, the most recent studies turn this idea on its head. They quantify not only purchases made directly on mobile devices, but the purchase behaviours influencing in store sales.

A report on “How In-Store Shoppers are Using Mobile Devices” features the results of a study that was performed in 2013 in conjunction with The Google Shopper Marketing Agency Council and M/A/R/C Research[i].  Examining consumer buying behaviours has revealed that “smartphone users buy more in brick and mortar stores than shoppers who don’t use mobile devices”.  Furthermore, over the next three to four years, direct mobile purchases are projected to have doubled the CAGR of e-commerce sales. eMarketer estimates that “by 2017 m-commerce sales are expected to…reach over $113 billion which would be a CAGR of 28%.”[ii] The bottom line is that, with growth of both the mobile influence factor and mobile payments, m-commerce and e-commerce are imperatives for retailers.

Business goals for retailers are to harness disruptive technologies to transform the business, address consumer expectations for information and inventory, deliver the best consumer experience through and beyond point-of-purchase and capitalise on the immediacy of m-commerce and e-commerce to capture sales anywhere, anytime–and in-store.

IT must enable the goals of the business.  E-commerce and m-commerce are critical channels to revenue just as they are ways to enhance brand and gain greater customer loyalty.  For IT, that means effectively maintaining security and compliance or the very same channels could lead to the immediate and even catastrophic undoing of brand value and consumer trust.  Top IT challenges are to secure consumer data, maintain compliance to security and privacy regulations and provide buyer behaviour data back to the business.

Regarding security, cybercriminals have become highly adept at thwarting existing IT security defenses as well as exploiting any weak links in the payments ecosystem.  Advanced Persistent Threats (APTs) are increasing, and recent breaches have focused a spotlight on growth in Card Not Present (CNP) fraud and hacking.  Conventional data protection solutions protect sensitive corporate and customer data at rest in databases but not in transit or as it is consumed and analysed.  Conventional “container-based” data protection solutions tend to proliferate as point solutions–exacerbating IT management and maintenance challenges and costs–and ignore the reality that business has evolved today.

With trends like m-commerce, Big Data and cloud computing, the traditional walls of the IT environment are falling.  Data moves inside and outside the business, which needs increased access to data for analytics and customer insights.  Point solutions are problematic in that they can become very short-term.  IT needs ways to protect sensitive data that can be consumed and not just stored in a container; that is, protection that is data-centric and travels with the data.

Security technologies like SSL only protect consumer data while it is “in the pipe”, but leave credit card numbers in the clear as data transits from the browser through web and application tiers and upstream IT systems and networks.  With the increased sophistication of cybercriminals, IT must find ways to close these security gaps.

Tokenization, which is used as a way to replace credit card numbers with substitute values or tokens, is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Digital Security Standard (PCI DSS) guidelines.  However, companies that have implemented first-generation or conventional tokenization solutions are finding they don’t scale well and can’t support business growth–primarily because conventional tokenization solutions have a token database central to their architecture.  Tokenization databases grow over time, become increasingly costly to manage, introduce data integrity issues, and become a high-value target for data breach.  There are new approaches available to enhance data security and reduce PCI audit scope while still maintaining control over payment processes.

Maintaining compliance with data security and privacy regulations is an ongoing effort, with ever-increasing costs.  Applications and systems may be in compliance with PCI guidelines, but as long as they hold customer credit card numbers in the clear, they are in scope for PCI audit.  The more of these applications and databases there are, the greater the complexity and cost to maintain compliance and to undergo PCI audit and remediation.

Moreover, compliance doesn’t necessarily equate to security.  There are many examples of data breaches in businesses that actually were in compliance at the time of the breach.  In that case, it’s critical, for Safe Harbor protection of the business, for IT to be able to show published security proofs of standards-based protection techniques, supplied by the data security vendor, along with published independent third-party validation of the strength of the security solution.  Finding technology that will mitigate risk and raise the overall security profile of the company is a major, but not insurmountable, challenge for IT.

Planning for Cyber Monday, Black Friday and other retail business peaks is difficult and expensive.  One of the great advantages of cloud Infrastructure as a Service is that IT could instantly order more web server capability to handle business peak times–and forego the expense of maintaining that infrastructure in-house throughout the year.  But cloud services don’t offer effective security for highly sensitive and valuable customer data, so many businesses hesitate to use the Cloud in spite of the cost-savings potential and added flexibility.  In fact, data-centric protection solutions can solve that dilemma too.

Best practices for securing your m-commerce and e-commerce data and systems

1) Examine the needs of the business–are you embracing m-commerce now or in the near future?  Identify protection solutions that will de-identify customer credit card numbers (and other sensitive Personally Identifiable Information (PII)), as that data is entered into the browser, and travel with the data all the way to your secure back-office systems.  This approach will augment the security provided in your network by solutions such as SSL.

2) Make sure you can provide customer purchase behavior data back to the business.  Don’t accept solutions which pass the online buyer to another outside party or service during the critical check-out process.  Serve your marketing organization well with a fully branded purchase process, and keep the web analytics team happy by maintaining full visibility into the customer experience at checkout.

3) Forego point security solutions for data-centric protection.  You can effect comprehensive change over time and across the business, by selecting solutions that work with virtually all platforms and languages.  Data-centric security solutions will enable use of cost-saving technologies like cloud computing, with secure premises-based stateless key management.

4) Introduce tokenization to address PCI compliance, but avoid solutions using a token database in the architecture.  Identify the solution that will remove the maximum number of applications and databases from audit scope.  Expect as much as 80% audit scope reduction.  Look for stateless tokenization–and be sure to ask for published security proofs, documented standards-based techniques and published third party validation of strong and proven security techniques.  Without proof and evidence you and your QSA can review, the solution cannot be used for PCI DSS compliance.

5) Consider other kinds of sensitive data such as social security numbers, health information, account numbers, and other PII.  Will the same data protection framework secure all kinds of data whether structured or unstructured, and for internal corporate web forms or customer transactions?

6) If you have mainframes in your environment, identify solutions that will tokenize customer data natively, without “leaving the box”.  This is a superior way to not only protect that data now, but also set the stage for potential use of Hadoop or other Big Data ecosystems.  You can tokenize sensitive customer data before it enters Hadoop for Big Data analytics and count on high-performance capabilities and scalability.

7) When assessing data encryption solutions, require standards-based, NIST-recognized format-preserving techniques ONLY.  Standards-based format-preserving encryption enables the secure use of protected data for analytics and sharing inside and outside the business, and enables the use of cost-saving technologies such as Cloud services.

What are the needs of the business?  The evidence is in.  M-commerce and e-commerce are critical to enabling retail businesses to thrive now and in the future.  With the proper data protection solutions in place, IT and the Security and Risk professionals in the organisation can rapidly enable businesses to embrace the technological shifts already underway in consumer buying behavior while, at the same time, securing the business and protecting its brand and reputation.

By Dave Anderson, senior director at Voltage Security