Mobile 2 Go Blog: Securing Mobile for Convenience Stores
Data security auditor shares concerns on mobile in retail environment
Published in CSP Daily News
LOUISVILLE, Colo. -- As the convenience store industry tests the waters with mobile payment, many questions come to mind, especially on data security. What are the risks? Where are the holes? What can be done to secure the environment?
I had the opportunity to catch Rick Dakin CEO of Coalfire Systems Inc., Louisville, Colo., a data security firm and auditor, at the recent Conexxus meeting in Tucson, Ariz., and we discussed these concerns.
Here's my Q&A with him:
Q: Can you give me an idea what the risk is as retailers move into a mobile-interactive environment--everything from payments to marketing to loyalty?
A: Let's start with the basics. If I go to a Verizon or an AT&T and buy a smartphone, where do I turn on a firewall? Where do I upload a patch? Is the log-in turned on? None of that stuff is obvious or even there. Then you put on a "dongle," one of those attachable card readers and you take someone else's credit card—at some point there's a need to authorize that payment. It's happening on a system less secure than Windows 95. [Smartphones or tablets] were never designed to be secure.
Q: I've seen my friend take credit cards on his phone, but I'm not sure how it relates to c-stores.
A: If a system is not designed to be secure or have [Payment Card Industry or PCI-level] certification, then there's no [security] implementation guide. You don't know what to do. So say I want to do line busting. I'm selling flowers at Home Depot in May and there's a line. How do I service that customer? I have an inherently unsafe device.
Q: Is the merchant liable?
A: The banks will disavow knowledge. They'll say, "We never certified that [mobile] device." All the liability goes to the retailer. All the risk lies with the merchant.
Q: What would you advise a retailer to do?
A: The first thing would be to go to their payment acquirer, their payment-gateway provider. Say that you're going mobile and you want to make sure encrypting capability is on your device. That's No. 1.
Q: Do you think the c-store industry is ready for mobile security?
A: In my personal opinion, the c-store industry is better organized than other channels. The fact that they have an organization in NACS with Conexxus is beyond most. There's strength in organization and communication.
For more on mobile and its potential effect on the convenience channel, read the cover story "Brick, Click Boom" in the May issue ofCSP magazine, as well as more coverage of network security.