According to the National Retail Foundation (NRF) Retail has grown almost 4% annually since 2010. NRF expects retail sales in 2018 to increase at a minimum of 4.5% over 2017. Depending on who you read, current industry-wide, online sales make up between 9%-11% of all retail sales. Past numbers support continual year over year growth of online sales that are estimated between 17%-20% by 2021. According to Security Score Cards’ “2018 Retail Cybersecurity Report,” online purchases during November and December 2017 reached nearly $700 billion, while data breaches also increased, with 50% of retailers experiencing a breach, up from 19% the prior year.
With the continued growth in online sales and mobile point-of-sale (mPOS), application security concerns are highlighted. New privacy regulations can have severe fines, along with legal pursuit of damages by individuals. Recent studies further suggest that privacy is steadily becoming a significant factor in customer loyalty, all of which makes security and privacy a new priority for retail.
A retailer’s reputation and market share are becoming a high stakes digital game. According to a Harris Interactive and TRUSTe study, 89% of consumers won’t do business with companies that don’t protect them online. At the same time, Security Scorecard’s “2018 Retail Cybersecurity Report” has the retail industry as a bottom performer for application security, ranked 17 out of 18 industries studied.
The increased reliance on applications paired with the decreased level of security will lead to troubling times for retailers who do not change. Those retailers who make security a priority and promote privacy options for their customers will not only advance brand loyalty, they will take market share from competitors who don’t.
Retailers should consider taking a program approach, regardless of whether the platform(s) is on internal infrastructure, in the cloud, or a hybrid. The first step is to establish the rules, consider creating policies based on PCI, GDPR and an industry standard such as NIST or ISO2700x series. These rules/policies will drive the requirements of your IT security and/or service provider to properly secure transactions and access to critical information.
To secure your critical applications, gain a business advantage and market share, consider the following application security and privacy areas related to mPOS and web applications:
- Securely develop your applications. There are several secure development approaches (PCI-Mobile Payment) and guidelines (OWASP) along with using some or all of privacy by design as the overarching framework.
- Develop an encryption strategy for all aspects of customer interaction; mPOS and web applications usage, transactions, storage of data and when sensitive information is accessed by authorized staff or the customer themselves.
- Be transparent with your customers and let them know you care about them and the importance of keeping their personal information private.
- Don’t hold information hostage to a transaction, allow customers to supply information one time if they want. If you say they must create an account and/or give you consent to do something with the information outside of the transaction, it is not only illegal under a number of international laws, it is reducing customer loyalty.
- Secure your infrastructure that will be supporting your online and mPOS applications. Consider going to the cloud with eyes wide open, don’t assume you are secure just because you move to the cloud. Get outside help beyond the service provider to make sure you are operating at an appropriate risk level. Good consulting organizations will not only help you be secure, they should be able to help you reduce cost and increase productivity with a strategy to scale up and down, on demand.
We wrote this article to provide some guidance and improve the overall retail industry. Feel free to reach out with feedback, questions or to gain further understanding on retail security and privacy.
Phil Jones, Director Cybersecurity, Mazars USA LLP