When NYC’s web-weaving crime fighter Spiderman coined the phrase, “with great power comes great responsibility,” he could have just as easily been talking about mobile ERP in the hands of retailers. Once an ERP solution is in place, mobile devices can be integrated and equipped with enterprise applications for powerful results. Return lanes, check out lanes, and customer service kiosks disappear, replaced with a friendly representative holding a tablet or mobile device. Yet, while mobile ERP is transforming the retail store landscape, it’s also creating new security risks for retailers and customers.
In this article, we’ll share three mistakes retailers commonly make when it comes to mobile ERP and how they can better protect customers against mobile security risks in a retail environment.
Mistake # 1 – Doing the Bare Minimum
Any retailer performing transactions over a wireless network through a mobile device must follow PCI (USA) or EMV (Canada and Europe) compliance standards to ensure a certain amount of security when customers use a payment card. However, what customers and retailers don’t often know is that a merchant can often fall into the bucket of being PCI or EMV compliant, but still not be secure against outside attacks. Unfortunately for these retailers, mobile security is not synonymous with being PCI (USA) or EMV compliance.
When a retailer uses PCI and EMV standards to protect against common vulnerabilities, they’re technically compliant, yet not necessarily secure. These mobile compliance standards are the bare minimum amount of security required to keep data safe. Retailers who want to prevent a dangerous security breach will need to go beyond the letter of the standard. A recent article “Security vs. PCI Compliance” on the PCI Compliance Guide details why using compliance standards is not enough to ensure the safety of the data collected through mobile devices. The author, Fritz Young, recommends that retailers “follow both the letter and spirit of the standard” by focusing on ways they can ensure security beyond the bare minimum. For example, retailers can:
- Store very limited data on the mobile device itself by using secure web, cloud, and client-server applications to store sensitive data.
- Maintain a high security posture and look for new ways to protect their data.
- Annually review application codes to look for new vulnerabilities and to maintain compliance.
- Find a developer who is aware of cross site scripting, SQL injection and access control violations and have them code to prevent such attacks.
Mistake # 2 – Viewing Security as a One-Time Checklist
As hackers grow more sophisticated, retailers will need to be more vigilant in safeguarding customer data. Hackers know that new technology, such as mobile ERP, is vulnerable because these technologies are in a rapidly changing in a state of flux. If retailers are not careful to patch vulnerabilities in a timely manner, hackers will mercilessly target the weak point in the retailer’s infrastructure. That’s why Joan Herbig of the PCI Compliance Guide recommends businesses avoid creating a security checklist, She says,
Can a security checklist be enough to help you achieve the sufficient security practices and controls to protect your customer data? A checklist captures the practices and controls of the right now — the moment. In other words, a checklist is only as good as the point in time in which it was written to protect against attacks.
Retailers who are the most protected against unwanted attacks are those who never stop looking for ways to be more secure. Vendors often share patches to known problems which, if updated regularly, can help keep mobile systems secure from hackers. Applying these patches is a good way to stay diligent on known vulnerabilities, but smart retailers will also look for new ways to stay ahead of hackers. Remember, protecting customer data isn’t like a game of chess where great players can see three moves ahead of their opponent. Sometimes the game changes and game boards are done away with completely. That’s why it’s so important to stay away from checklists and remain nimble.
Mistake # 3 – Believing Hackers Target Big Box Retailers Only
Don’t believe the news coverage. While security breaches seem only to happen to large retailers such as the TJX Corporation and Hannaford Brothers, small-to-medium retailers are highly vulnerable and a frequent target of hackers.
As big box retailers strengthen their defenses, hackers have begun looking for easy prey elsewhere. With less sophisticated technology and greater vulnerabilities, small-to-medium businesses are the perfect meal for a hungry hacker. In addition to constant vigilance, small-to-medium should perform a security analysis that identifies any and all past breaches. According to the 2011 Data Breach Investigations Report 85% of data breaches were in fact discovered by a third party months after the breach occurred.
Note: Magstar partners with IBM to bring the best in Total Retail Solutions to our customers. Learn more about IBM’s technologies and the services we provide at http://www.magstarinc.com