How to secure your e-commerce and m-commerce systems

Retailers know that e-commerce is driving revenue growth by extending the reach of business to buyers any time and anywhere. Initially, retailers thought that mobile smartphones and tablet - a subset of e-commerce – would only have a negative impact on in-store sales, with behaviours such as 'showrooming', where people go to a local business, find the merchandise they want and then use their smartphone to find the same items somewhere else for a lower price.

However, the most recent studies turn this idea upside down. They quantify not only purchases made directly on mobile devices, but the purchase behaviours influencing sales in-store.

A report on "How In-Store Shoppers are Using Mobile Devices" features the results of a study that was performed in 2013 in conjunction with The Google Shopper Marketing Agency Council and M/A/R/C Research[i]. Examining consumer buying behaviours has revealed that "smartphone users buy more in brick and mortar stores than shoppers who don't use mobile devices".

Furthermore, over the next three to four years, direct mobile purchases are projected to have doubled the CAGR of e-commerce sales. eMarketer estimates that "by 2017 m-commerce sales are expected to...reach over $113 billion which would be a CAGR of 28 per cent."[ii] The bottom line is that, with growth of both the mobile influence factor and mobile payments, m-commerce and e-commerce are imperatives for retailers.

Business goals for retailers are:

  • To harness disruptive technologies to transform the business, address consumer expectations for information and inventory,
  • Deliver the best consumer experience through and beyond point-of-purchase
  • Capitalise on the immediacy of m-commerce and e-commerce to capture sales anywhere, any time and in-store.

IT must enable the goals of the business. E-commerce and m-commerce are critical as channels to revenue as much as they are ways to enhance brand and gain customer loyalty. For IT, that means maintaining security and compliance, or those very same channels could lead to the immediate and catastrophic undoing of brand value and consumer trust. Top IT challenges are to secure consumer data, maintain compliance to security, and privacy regulations and provide buyer behaviour data back to the business.

Cyber-criminals have become highly adept at thwarting existing IT security defenses and exploiting any weak links in the payments ecosystem. Advanced persistent threats (APTs) are increasing, and recent breaches have focused a spotlight on growth in card not present (CNP) fraud and hacking.

Conventional data protection solutions protect sensitive corporate and customer data at rest in databases but not in transit or as it is consumed and analysed. Conventional "container-based" data protection solutions tend to proliferate as point solutions – exacerbating IT management and maintenance challenges and costs –and ignore the reality that business has evolved today.

With trends like m-commerce, big data and cloud computing, the traditional walls of the IT environment are falling. Data moves inside and outside the business, which needs increased access to data for analytics and customer insights. Point solutions are problematic in that they can become very short-term. IT needs ways to protect sensitive data that can be consumed and not just stored in a container; that is, protection that is data-centric and travels with the data.

Security technologies like SSL only protect consumer data while it is 'in the pipe.' They leave credit card numbers in the clear as data transits from the browser through web and application tiers and upstream IT systems and networks. With the increased sophistication of cyber-criminals, IT must find ways to close these security gaps.

Tokenisation, which is used as a way to replace credit card numbers with substitute values or tokens, is one of the data protection and audit scope reduction methods recommended by the Payment Card Industry Digital Security Standard (PCI DSS) guidelines.

However, companies that have implemented first-generation or conventional tokenisation solutions are finding they don't scale well and can't support business growth–primarily because conventional tokenisation solutions have a token database central to their architecture. Tokenisation databases grow over time, become increasingly costly to manage, introduce data integrity issues, and become a high-value target for data breach. There are new approaches available to enhance data security and reduce PCI audit scope while still maintaining control over payment processes.

Maintaining compliance with data security and privacy regulations is an ongoing effort, with ever-increasing costs. Applications and systems may be in compliance with PCI guidelines, but as long as they hold customer credit card numbers in the clear, they are in scope for PCI audit. The more of these applications and databases there are, the greater the complexity and cost to maintain compliance and to undergo PCI audit and remediation.

Moreover, compliance doesn't necessarily equate to security. There are many examples of data breaches in businesses that actually were in compliance at the time of the breach. In that case, it's critical, for Safe Harbor protection of the business, for IT to be able to show published security proofs of standards-based protection techniques, supplied by the data security vendor, along with published independent third-party validation of the strength of the security solution. Finding technology that will mitigate risk and raise the overall security profile of the company is a major, but not insurmountable, challenge for IT.

Planning for Cyber Monday, Black Friday and other retail business peaks is difficult and expensive. One of the great advantages of cloud Infrastructure as a Service is that IT could instantly order more web server capability to handle business peak times - foregoing the expense of maintaining that infrastructure in-house throughout the year. But cloud services don't offer effective security for highly sensitive and valuable customer data, so many businesses hesitate to use the Cloud in spite of the cost-savings potential and added flexibility. In fact, data-centric protection solutions can solve that dilemma too.

Top tips to secure your m-commerce and e-commerce data and systems:

1. Examine the needs of the business – are you embracing m-commerce now or in the near future? Identify protection solutions that will de-identify customer credit card numbers (and other sensitive personally identifiable information (PII)), as that data is entered into the browser, and travel with the data all the way to your secure back-office systems. This approach will augment the security provided in your network by solutions such as SSL.

2. Make sure you can provide customer purchase behavior data back to the business. Don’t accept solutions which pass the online buyer to another outside party or service during the critical check-out process. Serve your marketing organization well with a fully branded purchase process, and keep the web analytics team happy by maintaining full visibility into the customer experience at checkout.

3. Forego point security solutions for data-centric protection. You can effect comprehensive change over time and across the business, by selecting solutions that work with virtually all platforms and languages. Data-centric security solutions will enable use of cost-saving technologies like cloud computing, with secure premises-based stateless key management.

4. Introduce tokenisation to address PCI compliance, but avoid solutions using a token database in the architecture. Identify the solution that will remove the maximum number of applications and databases from audit scope. Expect as much as 80% audit scope reduction. Look for stateless tokenization–and be sure to ask for published security proofs, documented standards-based techniques and published third party validation of strong and proven security techniques. Without proof and evidence you and your QSA can review, the solution cannot be used for PCI DSS compliance.

5. Consider other kinds of sensitive data such as social security numbers, health information, account numbers, and other PII. Will the same data protection framework secure all kinds of data whether structured or unstructured, and for internal corporate web forms or customer transactions?

6. If you have mainframes in your environment, identify solutions that will tokenise customer data natively, without “leaving the box”. This is a superior way to not only protect that data now, but also set the stage for potential use of Hadoop or other Big Data ecosystems. You can tokenise sensitive customer data before it enters Hadoop for big data analytics and count on high-performance capabilities and scalability.

7. When assessing data encryption solutions, require standards-based, NIST-recognised format-preserving techniques ONLY. Standards-based format-preserving encryption enables the secure use of protected data for analytics and sharing inside and outside the business, and enables the use of cost-saving technologies such as Cloud services.

What are the needs of the business? M-commerce and e-commerce are critical to enabling retail businesses to thrive now and in the future. With the proper data protection solutions in place, IT and the Security and Risk professionals in the organization can rapidly enable the business to embrace the technological shifts already under way in consumer buying behaviour, while simultaneously securing the business and protecting its brand and reputation.

Dave Anderson is Senior Director at Voltage Security.

[i] "Leveraging the Impact of Smartphones on the In-Store Shopping Experience", by Shannon Andrade, Merchant Warehouse, September 19, 2013

[ii] "Ecommerce Is Growing Nicely While Mcommerce Is On A Tear", by Chuck Jones, Forbes, October 2, 2013.