The security of consumer data processed via mobile devices, especially at the checkout, remains a critical industry concern, Supermarket News reports. “The risk of breaches only increases as more personal digital devices are introduced into the workplace,” said Bill Bishop, chairman of Willard Bishop in Barrington, Ill. “It’s hard to know how well prepared retailers are for the inevitable breaches, but my guess is that the majority are focusing their energy right now in other areas, which could lead to greater problems down the road.”
The Merchant Customer Exchange (MCX) is focused on mobile security as retailers incorporate payment and customized offers. According to MCX spokesperson Jeremy Mullman, some of the enhanced security will be a reflection of the shift from mag-stripe readers. “The cost associated with fraud is not acceptable to MCX merchants, and they see this as a chance to improve on security.”
Meanwhile, Google and Isis have yet to address how they will handle the 1% of transactions that result in chargebacks or disputes, said Walt Conway, manager at 403 Labs, Brookfield, Wis., a Qualified Security Assessor (QSA) firm. “When they address that, they’ll be true competitors to the established card brands.”
Conway expressed concern about the security risks when consumers pay and redeem coupons with phones that transmit data wirelessly. “When retailers put wireless capability at the POS, people sat in parking lots and intercepted the wireless signals,” he said. “I don’t want to see that experience repeated with the new technology. We will need encryption and key management to protect mobile payment and allow a positive customer experience.”
Bishop suggested retailers might need to outsource data security responsibilities to minimize theft risk. “Ironically, the security capabilities of certain cloud-based resources are likely to be stronger than those that are driven primarily by in-house capabilities,” he said. “It is certainly worth investigating which of these is true about a retailers’ own operation.”
As far as security certification, mobile devices such as phones or tablets are still waiting for payment applications to be approved by the PCI Security Standards Council. Last year, the Council said that mobile payment-acceptance applications on multi-use mobile devices were not eligible for PCI compliance and encouraged mobile developers to come up with applications that meet PCI’s payment application data security standards. “A general-purpose tablet is built for convenience, not security,” said Troy Leach, chief technology officer, PCI Security Standards Council. (NACS: www.nacsonline.com)
