Data security questions emerge with mobile, conference speaker says
Published in CSP Daily News
FORT WORTH, Texas -- While the emergence of mobile phones as a new path for retailers to market themselves and for consumers to pay digitally, the trend also poses a potential minefield for data security, as each mobile phone represents a chance for breach.
Speaking before about 175 people at Arlington, Texas-based The Pinnacle Corp.'s annual users conference, Rick Dakin, CEO of Coalfire, Louisville, Colo., a data security analysis and auditing firm, said retailers need to prepare for a new level of vulnerability where answers are few.
"With mobile payment, you have to track data flow," Dakin said. "You have to know what you are taking in, how you're processing it and if it's compliant [to data security standards]."
Retailers also need to be cautious of vendors offering retailers security solutions, since many solutions are focused on fraud and not data security or compliance with Payment Card Industry (PCI) standards.
Mobile devices have very powerful processors, but questions remain surrounding firewalls, control over access and how secure the operating systems are in general, he said. "We do a little finger dance over our phones and think it's secure, but it's not a secure mechanism," Dakin said, especially when the devices are used as payment vehicles. "They were not built to be secure."
New generations of phones are supposedly being built to have higher levels of security, but making sure what manufacturers and providers claim vs. actually having firm security measures in place is an ongoing question, he said.
For the most part, Dakin said data security in mobile payment can occur in three ways: through a tested and certified wireless payment device, a "sled" or holding device for the phone or if in the case of a device plugged into a phone that is then used for payment transactions, that there are data security measures with the bank or third party receiving the data.
Even companies using "the cloud" to complete transactions need to be mindful that not all configurations are the same. Dakin said sometimes a retailer may involve a third party that uses a "community" cloud, opening the retailer up to a potential breach.
Dakin reminded the audience of a recent incident involving a c-store chain that decided to write its own point-of-sale (POS) application. Without all the proper security and testing measures in place, the application allowed a remote third party to accidentally let in malware. The month-long breach exposed 10,000 cards. He said typically, 10% to 20% get compromised, which can cost a retailer $2,500 per card, on average.