Are Retail Online and mPOS Applications Secure?

Phil Jones
Director Cybersecurity, Mazars USA LLP

According to the National Retail Foundation, retail has grown almost 4 percent annually since 2010. NRF expects retail sales in 2018 to increase at a minimum of 4.5 percent over 2017. Depending on who you read, current industry-wide, online sales make up between 9 percent and 11 percent of all retail sales. Past numbers support continual year-over-year growth of online sales that are estimated between 17 percent to 20 percent by 2021. According to Security Score Cards’ “2018 Retail Cybersecurity Report,” online purchases during November and December 2017 reached nearly $700 billion, while data breaches also increased, with 50 percent of retailers experiencing a breach, up from 19 percent the prior year.

With the continued growth in online sales and mobile point-of-sale application, security concerns are highlighted. New privacy regulations can result in severe fines, along with legal pursuit of damages by individuals. Recent studies further suggest that privacy is steadily becoming a significant factor in customer loyalty, all of which makes security and privacy a new priority for retail.

A retailer’s reputation and market share are becoming a high stakes digital game. According to a Harris Interactive and TRUSTe study, 89 percent of consumers won’t do business with companies that don’t protect them online. At the same time, Security Scorecard’s “2018 Retail Cybersecurity Report” has the retail industry as a bottom performer for application security, ranked 17 out of 18 industries studied.

The increased reliance on applications, paired with the decreased level of security, will lead to troubling times for retailers who do not change. Those retailers who make security a priority and promote privacy options for their customers will not only advance brand loyalty, they will take market share from competitors who don’t.

Retailers should consider taking a program approach, regardless of whether the platform(s) is on internal infrastructure, in the cloud or a hybrid. The first step is to establish the rules; consider creating policies based on PCI, GDPR and an industry standard such as NIST or ISO2700x series. These rules/policies will drive the requirements of your IT security and/or service provider to properly secure transactions and access to critical information.

To secure your critical applications, gain a business advantage and market share, consider the following application security and privacy areas related to mPOS and web applications:

1. Securely develop your applications. There are several secure development approaches (PCI-Mobile Payment) and guidelines (OWASP) Additionally, consider using some or all of privacy by design as the overarching framework.
2. Develop an encryption strategy for all aspects of customer interaction; mPOS and web applications usage, transactions, storage of data and when sensitive information is accessed by authorized staff or the customer themselves.
3. Be transparent with your customers and let them know you care about them and the importance of keeping their personal information private.
4. In the privacy policy, provide an understandable explanation of why the information is needed and what the information will be used for. This should be supplied prior to a customer providing any personal information or creating an account.
5. Don’t hold information hostage to a transaction; allow customers to supply information one time if they want. If you say they must create an account and/or give you consent to do something with the information outside of the transaction, it is not only illegal under several international laws, it’s reducing customer loyalty.
   
6. Secure the infrastructure that will be supporting your online and mPOS applications. Consider going to the cloud with eyes wide open. Don’t assume you are secure just because you move to the cloud. Get outside help beyond the service provider to make sure you are operating at an appropriate risk level. Good consulting organizations will not only help you be secure, they should be able to help you reduce cost and increase productivity with a strategy to scale up and down, on demand.

We wrote this article to provide some guidance and improve the overall retail industry. Feel free to reach out with feedback, questions or to gain further understanding on retail security and privacy.

Mazars USA LLP is an accounting, tax and consulting firm serving a broad array of sectors, including the food and beverage industry. For more information, visit mazarsusa.com.