At the Speed of Mobile – Keeping Pace with Omnichannel Security

At the Speed of Mobile – Keeping Pace with Omnichannel Security

1 out of 4 cases of fraud in 2014 occurs in the mobile channel. Globally, businesses are enabling a mobile platform for their omnichannel processing environment at warp speed and a lot businesses are falling behind in securing their entire data environment.  According to RSA's Anti-Fraud Command Center, during the first six months of 2014, 33% of banking transactions originated in the mobile channel, which marks an increase of 20% from 2013 and a 67% increase from 2012. Those numbers will continue to rise dramatically. How do you secure mobile devices inside your data environment? Data security often plays catch up with new technology and mobile continues to evolve on a weekly basis. That being said, there are complete data security technologies at your finger tips that not only secure at the point of transaction, but remove toxic data from your environment, lowering compliance burden/scope.

Security Sacrificed for Mobile

Mobile devices are easy to integrate into current data environments and are a cost effective way of expanding omnichannel acceptance to both employees and customers. A bring your own mobile device party has started in the mobile acceptance arena. However, that connectivity comes with a cost.  The recent Raytheon backed study with the Ponemon Group identified that 60% of companies know full well that mobile devices diminish best security practices. The conundrum is securing your data environment versus opening every acceptance channel possible.. As a former QSA, securing your data environment should be the most important. Secure each channel before making it available to the public. Good luck keeping customers if you cannot secure their data.

Significant Disparity in Mobile Payment Solutions

currentC is getting whipped by ApplePay, which is being shamed by Starbucks. I will get to currentC in a minute. Starbucks, you are impressive and I extend a virtual high five! 7 million transactions a week all done through QR codes. Merchants are flocking to find out how Starbucks has done such a good job of presenting a mobile application that enables caffeine junkies (that’s all of us) to avoid global meltdown if we get our coffee in our hands a few minutes sooner. Starbucks is the belle of the ball, again. I digress to my greater point, but really kudos to Starbucks. The topic at hand, currentC has already been breached and retailers are getting antsy on when the solution takes off its training wheels.  The payment solution is not at full speed and happens to have the lowest of app reviews of all time. To make matters worse, currentC has already enforced their agreement with CVS and Rite-Aid to allow for proper evolution of the payment solution. i.e.  You can’t leave us until we have adequate time to work out the kinks. 1/3 of retailers are waiting. Tick Tock, Tick Tock. ApplePay is hot on their heels with 1 million activated credit cards in their first few days, but limited only to IOS users.

QR Codes Vs. NFC

My oodling over Starbucks is born in the success they are consistently securing millions of transactions, weekly. currentC uses a similar technology, so why were they hacked? ApplePay is on the other side of the aisle using NFC capabilities and tokenizing the payments at transaction. The ApplePay devices are also encrypted adding another layer of data security. What happened with currentC and why would their QR code technology be susceptible to a breach?

McAfee Labs broke down the vulnerability of currentC (MCX produced app). “We have found that in a group of popular retail apps, such as Costco’s and Walgreens’ apps for Android, when a QR code is scanned using the app’s scanning feature, the app will pull content from the QR code’s URL. (Costco has recently released an updated app in which the QR code-scanning feature has been removed.) These apps are supposed to determine that the URL is from a trusted source. However, unlike browsers that enforce the same-origin policy, the policy validation implemented by these apps can be bypassed with a carefully crafted QR code. Such a QR code can trick the app into pulling malicious code and execute it within the app. Here is a snippet of this research to demonstrate how sensitive user information–such as phone number, SIM card number, and user geolocation–can leak to attackers when the QR code is scanned.”

On a high level, Starbucks and ApplePay have done a better job of creating a secure architecture for mobile transactions. Android has surpassed IOS as the largest operating system for mobile and no ApplePay for Android. All non-IOS users will be utilizing a mobile solution and currentC certainly has a massive opportunity to dominate the mobile payment space. First, they better figure out how secure their transactions.

Customers Need Security At The Point Of Transaction

Consumer authentication is more than just a username and password. RSA reports that 62% of consumers are not comfortable with websites that require username and password to gain entry. 100% of consumers should not be comfortable with traditional logins and no consumer authentication and/or tokenization. The extra time caused by the authentication is negligible to a consumer. Heck, the majority of consumers even admitted to regularly changing their passwords to avoid a breach.

I was reading a recent article from darkreading where a CEO of a retailer was quoted as saying, “Why us? We aren’t a bank.” If that is your take on the state of data security, then I suggest grabbing your ball and going home. Cyber thieves don’t create new algorithms and malware for kicks. They want your money, plain and simple. They will find every risk point in your data environment to find points of penetration. Data breaches are a matter of when not if. Get prepared and understand that.

Tokenize. Tokenize. Tokenize.

Not all tokenization solutions are the same, but there are a lot companies jumping on the bandwagon. True tokenization is meant to push the boundaries of your compliance as far out as they can go. Tokenization happens at the point of transaction and only one token value can be held. All mobile transactions can be tokenized at the point of transaction and that is the most important takeaway from all of this. Removing the toxic data, immediately, from your environment lowers PCI compliance and the risk of losing valuable customer data. Let’s say you do get breached then the cyber-thief has a meaningless value like a token. That’s a whole lot better than your best customer’s payment information. Find out more at to learn how we have been tokenizing sensitive data environments for half a decade. Follow us on Twitter and LinkedIn.

Topic(s): payments , data security , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog