Secure M-Commerce and E-Commerce Systems
By Carole Murphy
Retailers know that e-commerce is driving revenue growth by extending the reach of business to buyers anytime and anywhere. Initially, retailers thought that mobile smartphones and tablet – a subset of e-commerce – would only have a negative impact on in-store sales with behaviors such as “showrooming,” where people go to a local business, find the merchandise they want and then use their smartphone to find the same items somewhere else for a lower price. However, the most recent studies turn this idea upside down. They quantify not only purchases made directly on mobile devices, but the purchase behaviors influencing sales in-store.
A report on “How In-Store Shoppers are Using Mobile Devices” features the results of a study that was performed in 2013 in conjunction with The Google Shopper Marketing Agency Council and M/A/R/C Research. Examining consumer buying behavior has revealed that “smartphone users buy more in brick and mortar stores than shoppers who don’t use mobile devices.” Furthermore, over the next three to four years, direct mobile purchases are projected to double the CAGR of e-commerce sales. eMarketer estimates that “by 2017 m-commerce sales are expected to…reach over $113 billion which would be a CAGR of 28%.”
The bottom line is that, with growth of both the mobile influence factor and mobile payments, m-commerce and e-commerce are imperatives for retailers.
E-commerce and m-commerce are critical channels to revenue just as they are ways to enhance brand and gain greater customer loyalty. For IT, that means effectively maintaining security and compliance or the very same channels could lead to the immediate and even catastrophic undoing of brand value and consumer trust. Top IT challenges are to secure consumer data, maintain compliance to security and privacy regulations and provide buyer behavior data back to the business.
Cybercriminals have become highly adept at thwarting existing IT security defenses as well as exploiting any weak links in the payments ecosystem. Advanced Persistent Threats (APTs) are increasing, and recent breaches have focused a spotlight on growth in Card Not Present (CNP) fraud and hacking. Conventional data protection solutions protect sensitive corporate and customer data at rest in databases but not in transit or as it is consumed and analyzed. Conventional “container-based” data protection solutions tend to proliferate as point solutions – exacerbating IT management and maintenance challenges and costs.
With trends like m-commerce, Big Data and cloud computing, the traditional walls of the IT environment are falling. Data moves inside and outside the business, which needs increased access to data for analytics and customer insights. Point solutions are problematic in that they can become very short-term. IT needs ways to protect sensitive data that can be consumed and not just stored in a container; that is, protection that is data-centric and travels with the data.
Security technologies like SSL only protect consumer data while it is “in the pipe,” but leave credit card numbers in the clear as data transits from the browser through web and application tiers and upstream IT systems and networks. With the increased sophistication of cybercriminals, IT must find ways to close these security gaps.
Tokenization, which is used as a way to replace credit card numbers with substitute values or tokens, is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Digital Security Standard (PCI DSS) guidelines. However, companies that have implemented first-generation or conventional tokenization solutions are finding they don’t scale well and can’t support business growth – primarily because conventional tokenization solutions have a token database central to their architecture. Tokenization databases grow over time, become increasingly costly to manage, introduce data integrity issues, and become a high-value target for data breach. There are new approaches available to enhance data security and reduce PCI audit scope while still maintaining control over payment processes.
Maintaining compliance with data security and privacy regulations is an ongoing effort, with ever-increasing costs. Applications and systems may be in compliance with PCI guidelines, but as long as they hold customer credit card numbers in the clear, they are in scope for PCI audit. The more of these applications and databases there are, the greater the complexity and cost to maintain compliance and to undergo PCI audit and remediation.
Moreover, compliance doesn’t necessarily equate to security. There are many examples of data breaches in businesses that actually were in compliance at the time of the breach. In that case, it’s critical, for Safe Harbor protection of the business, for IT to be able to show published security proofs of standards-based protection techniques, supplied by the data security vendor, along with published independent third-party validation of the strength of the security solution. Finding technology that will mitigate risk and raise the overall security profile of the company is a major, but not insurmountable, challenge for IT.
Planning for retail business peaks is difficult and expensive. One of the great advantages of cloud Infrastructure as a Service is that IT could instantly order more web server capability to handle business peak times – and forego the expense of maintaining that infrastructure in-house throughout the year. But cloud services don’t offer effective security for highly sensitive and valuable customer data, so many businesses hesitate to use the Cloud in spite of the cost-savings potential and added flexibility. In fact, data-centric protection solutions can solve that dilemma too.
M-commerce and e-commerce are critical to enabling retail businesses to thrive now and in the future. With the proper data protection solutions in place, IT and the Security and Risk professionals in the organization can rapidly enable the business to embrace the technological shifts already underway in consumer buying behavior, while simultaneously securing the business and protecting its brand and reputation.