Visa program streamlines global QR code payment adoption
A new service is helping retailers adhere to newly introduced interoperability standards related to QR code-based payments.
In a move to standardize emerging cashless payments, EMVCo, the global technical body that manages the EMV Specifications, released new global QR Code Payment standards — a move that will allow retailers to process mobile payments made through the two-dimensional machine-readable barcodes. Visa and the other EMVCo members worked to develop these new globally interoperable EMV specifications.
Visa also offers a service that helps merchants accept these emerging digital payments. Called mVisa, the solution allows consumers to pay for goods and services by scanning a QR code on a smartphone or entering a merchant number into their feature phones.
Payment goes directly from the consumer’s Visa account into the merchant’s account, and provides real-time notification to both parties. mVisa is interoperable, meaning that the consumer and the merchant do not need to be customers of the same bank.
Merchants can participate in the program by enrolling the Visa Ready Program, which has adopted the interoperable QR standards. Once enrolled, merchants can freely accept payments from any country or bank given mVisa’s interoperability. Visa securely and efficiently processes each transaction, the company said.
Visa is already supporting merchant-presented QR technology in 15 countries around the world. India, Kenya and Nigeria are currently live with mVisa across both bank and merchant partners. Specifically, 33 banks and more than 328,000 merchants across India, Kenya and Nigeria have adopted the interoperable standards, as accelerating their QR code digital payment programs, according to Visa.
“We’ve already seen tremendous progress towards adoption of standardized, interoperable QR code payment systems in the developing world,” said Sam Shrauger, senior VP, digital products, Visa. “We are working with governments and central banks in countries like India to develop and implement QR code payment solutions that provide the convenience and security, and help the journey toward a cashless future.”
Visa intends to replicate this success in 12 other countries where mVisa has been enabled. This includes Cambodia, Egypt, Ghana, Indonesia, Kazakhstan, Malaysia, Pakistan, Rwanda, Tanzania, Thailand, Uganda and Vietnam.
Study: Majority of retailers feel ‘vulnerable’ to a data breach
While the number of cyber-attacks have declined in the last year, a majority of companies still feel susceptible to data threats.
This was according to the “2017 Thales Data Threat Report, Retail Edition,” from Thales e-Security and analyst firm 451 Research. The study is based on responses from more than 1100 senior security executives, including in the retail segment, from across the globe.
According to data, 52% of companies experienced a data breach in the past, and 88% fear they are vulnerable to a cyber-attack. Meanwhile, 19% stated they are “very” or “extremely” vulnerable.
On a positive note, U.S. retail data breaches in the past year dropped from 22% in the 2016 survey to 19% this year. This number is lower than any other U.S. vertical polled for the 2017 report, including healthcare (20%), financial services (24%) and the U.S. federal government (34%).
However, U.S. retailers may be failing to learn from past mistakes. More than half (11%) of the 19% that were breached this year had also experienced a breach previously. When looking at global retail, a staggering 43% of global retail respondents reported a breach in the past year alone, approaching twice the global average, the study reported.
“These distressing breach rates serve as stark proof that data on any system can be attacked and compromised,” said Garrett Bekker, principal analyst for information security at 451 Research. “Unfortunately, organizations keep spending on the same security solutions that worked for them in the past, but aren’t necessarily the most effective at stopping modern breaches.”
Seventy seven percent (77%) of U.S. retail organizations are increasing IT security spending, but are not concentrating spending where it will make the most difference. For example, 88% of respondents selected network security as “very” or “extremely” effective at protecting data from breaches — even as network security fails to keep out attackers and is unable to protect data that is increasingly stored in the cloud.
Spending patterns also indicate a focus on what has worked in the past with the planned spending increases on network (67%) and endpoint (63%) protection. Data-at-rest approaches, which have proven to be effective at protecting the data itself, came in second from last (49%) in terms of retailer security spending priorities.
According to the report, 95% of U.S. retail organizations will use sensitive data in an advanced technology environment (such as cloud, big data, IoT and containers) this year. However, 53% of respondents believe that sensitive data use is happening in these environments without proper security in place.
“It’s encouraging that yearly retail data breach rates have finally started to drop, but rates are still quite high,” said Peter Galvin, VP of strategy, Thales e-Security. “With tremendous sets of detailed customer behavior and personal information in their custody, retailers are a prime target for hackers so should look to invest more in data-centric protection. And as retailers dive head first into new technologies, data security must be a top priority as they continue to pursue their digital transformation.”
To make this transition, organizations are encouraged to:
• deploy security tool sets that offer services-based deployments, platforms and automation;
• discover and classify the location of sensitive data within cloud, SaaS, big data, IoT and container environments; and
• leverage encryption and Bring Your Own Key (BYOK) technologies for all advanced technologies.
The Rush to Deploy the Latest In-Store Technology is Compromising IT Security
Digital transformation is accelerating the pace of change within the store environment. Retailers are under pressure to move quickly to implement the latest in-store capabilities to help separate themselves from the competition and provide a reason for repeat trips to the store. These retailers are blurring the physical and digital worlds to drive deeper customer engagement, loyalty, and emotional connections with a brand.
In practice, this translates to an avalanche of new technology and data analytics tools sweeping into retail outlets large and small. Self-checkout kiosks and mobile point-of-sale devices promise to enhance convenience for customers. In-store Wi-Fi, dressing room tablets, RFID, and augmented reality capabilities aim to enhance engagement and customer service capabilities.
Connected devices that monitor heating and cooling, on-shelf inventory, and interactive digital signage are transforming operations and optimizing the way stores are managed. To the customer, these changes and technology implementations should appear seamless. But to the retailer, adopting these capabilities creates many challenges and represents a radically different way of doing business within the store environment.
The Risk Behind the Reward
Retail is prime for fresh ideas and new approaches; the technologies being introduced in brick-and-mortar locations really do help to elevate the customer experience and create an incentive for shopping offline and driving purchase intent.
At the same time, these new technologies and endpoints in retail environments — mobile devices, SaaS applications, kiosks, IoT, mobile point of sale, and Wi-Fi — offer an expanded attack surface for bad actors to exploit. And, alarmingly, many store networks rely on outdated on-premise hardware models that introduce single points of failure and open the door to vulnerabilities, malware attacks, breaches, and just about every threat the digital age presents.
Omnichannel retail has created complex security architecture for retailers to manage and maintain on their own, leaving traditional defenses outdated and ineffective. This is exacerbated by the fact that many new technologies, particularly IoT devices, have not been designed with security in mind. As a result, many new in-store technologies have increased complexity for IT teams to manage and unruly security environments to tame and control.
Consumer-driven technologies and rising expectations will only continue to accelerate change, forcing retailers to rethink long-term security strategies, adopt agile network security architectures, and replace legacy patchwork solutions that heighten risk. According to The State of Network Security report for 2016-2017 from Forrester, 40% of enterprises are upgrading or planning to implement next-gen firewalls within the next 12 months.
Investing in adaptive security architecture, such as cloud-based firewalls, helps retailers keep pace with the rate of change in the evolving retail landscape. Otherwise, legacy defenses may work against you, creating an environment ripe for compromise.
Bolstering Digital Defenses
Considering how much variety exists in physical retail environments and how many new technologies and endpoints have come into play, there is not a one-size-fits-all approach to security. However, there are specific strategies and considerations that all retailers should focus on as they strive to turn current vulnerabilities into strengths:
1. Be mindful of segmentation. Today’s retail environments are full of dozens of new endpoints, and many are vulnerable to malware infections and exploits that can bring down the entire retail network if not segmented properly. The risk is even greater when seasonal and contract employees are added to the mix — remember that threats arise both internally and externally.
Protecting the retail environment begins with retailers securing access methods to the internet from the physical store, especially for IoT devices and guest Wi-Fi systems. They must also properly segment the IoT subnet from employee, POS, and guest Wi-Fi subnets — with separate policies for the internet — while ensuring that in-store devices have restricted communications with only whitelisted IP addresses. This year, 85% of enterprises plan to introduce IoT devices, but only 10% feel confident in their ability to secure them. Make sure you fall into that minority.
2. Cut down on operational complexity. Moving from on-premises hardware models to the cloud reduces management complexity, especially for retailers that operate large store networks but have strained IT resources and limited budgets. With cloud-based firewalls, updating and refining security policies for the various store subnets across the retail network is streamlined, resulting in simplified and more robust security architectures.
The days of retailers managing and patching anti-malware on individual endpoints across the retail network are over. The time cost is too great, and the risk introduced by a single unpatched endpoint is too high. According to Forrester’s Top Cybersecurity Threats In 2017 report, software vulnerabilities accounted for 42% of external intrusion attack methods in 2016.
3. Don’t stop at PCI compliance. While PCI compliance is a critical part of a retailer’s security strategy, it’s a little like making sure a lock is on the front door, but not guaranteeing the door stays bolted shut. Cybercriminals are constantly uncovering new entry points and vulnerabilities to invade your store network outside of the cardholder data environment, with the aim of stealing sensitive company and customer data.
It’s vital for retailers to focus not only on the prevention of cyberattacks within the retail environment, but also on the detection of suspicious and malicious activity. Retailers should implement supplementary security measures beyond PCI compliance to build layers of defense. Next-gen firewalls that offer intrusion protection and detection, web content filtering, and sandboxing enable retailers to do just that.
4. Prioritize threat intelligence. Because retailers cannot prevent all attacks, leveraging actionable threat intelligence is imperative to alert retailers when devices and network assets have been compromised and are communicating with unapproved or malicious IP addresses, which could be C2 servers and their botnets. Threat intelligence analyzes for suspicious network communications and alerts to policy violations and vulnerabilities.
Gartner predicts that by 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.* What’s more, Gartner also predicts that by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 30% in 2016. The implications for retailers are clear — the time to act and invest in threat intelligence defenses is now.
Innovative technologies help retailers differentiate the customer experience and bring the best of online digital engagement into the store environment. Retailers can build robust layers of defense with adaptive security architectures to better prevent and detect threats or exploits. And within a rapidly evolving omnichannel threatscape, that’s a priority everyone can agree on.
Susan McReynolds is retail strategy manager for Level 3 Communications, where she works with customers, analysts, and industry leaders to keep a pulse on the IT trends and challenges facing today’s omnichannel retailers. Before joining Level 3, Susan worked with leading national and global athletic brands to develop custom visual merchandising programs.