Shopping for security: Securing the e-tail market

It is predicted that the online retail industry will be worth £123bn by 2020
It is predicted that the online retail industry will be worth £123bn by 2020
Robin Adams, The Logic Group
Robin Adams, The Logic Group
Barrie Ainsworth, Kiddicare
Barrie Ainsworth, Kiddicare
Andy Morris, Deloitte
Andy Morris, Deloitte

The online retail space is becoming an increasingly important one. Although the sector still accounts for only 12% of total retail sales in the UK, it is expected to grow by 110% over the next decade, amounting to £123 billion by 2020.

Last year, as the recession dampened overall sales growth to just over two percent, revenues in the online world jumped by seven times that level, valuing the market at £49.8 billion, according to the ‘e-Retail Sales Index’ published by the Interactive Media In Retail Group (IMRG) and consultancy Capgemini.

Growth in online sales is now being driven by traditional bricks-and-mortar retailers rather than pure-play ecommerce companies (retailers that do not have high street stores) and by more and more non-technical people starting to shop online, making the market more mainstream.

The shift towards a more mainstream market – which admittedly is still dominated by relatively cash-rich, time-poor consumers – has seen a significant boost in the purchasing of more conventional goods, such as clothing and home and garden products, rather than the high-tech gadgets that dominated the sector a decade ago.

Such consumers tend to be relatively sophisticated in terms of awareness of information security and privacy issues, not least due to a series of high-profile data loss incidents that have hit the headlines over recent years.

Over-confidence

Andy Morris, lead partner at Deloitte’s information and technology risk retail group, warns that former over-caution on the part of the public about shopping online may now have shifted to over-confidence.

“The pendulum might almost have swung too far the other way. The degree of confidence may be higher than the reality, as most people who are willing to do online shopping are implicitly expecting a high degree of information security from retailers as well as online banks and government agencies”, he says.

In reality, the security picture among e-tailers tends to be a mixed one. Statistics from trade body, The UK Cards Association, indicate that ‘card-not-present’ fraud – which includes online – fell by 19% to £266 million for the first time last year.

The drop was attributed to a number of factors. These included the provision of CV2 security codes on the back of credit cards and an increase in the use of online fraud prevention tools such as MasterCard ‘SecureCode’ and ‘Verified by Visa’, used by both retailers and cardholders.

Another cause, however, was the growing use of sophisticated fraud screening detection systems employed by both retailers and banks.

Large e-tailers tend to deploy such tools in-house in order to undertake activity such as identifying addresses that are commonly used for charge-backs, as well as customer and/or velocity checks. The latter practice involves assessing how many times the same credit or debit card details have been used over a given time period in order to establish unusual patterns.

Smaller organisations are increasingly choosing to outsource such activity to third-party fraud detection service providers such as Ethoca, however. As Robin Adams, director of fraud, security and risk management at card processing and electronic fund transfer specialists, The Logic Group, says: “They’re increasingly trying to get rid of the problem. On the one hand, they want to focus on what they’re good at, but the other problem is the cost of compliance.”

The price of non-compliance

Online retailers, for example, are covered by the UK’s version of the European Union’s Distance Selling Directive, which means that they have to abide by specific stipulations relating to cooling-off periods and refund requirements. They must also conform to the Data Protection Act, which covers the protection of personal information.

The most onerous regulation for many has been the Payment Card Industry’s Data Security Standard (PCI DSS). Perhaps unsurprisingly, therefore, a mere 11% of UK organisations have so far been audited and certified as compliant, according to a survey undertaken earlier this year among 100 retail, financial services and hospitality firms by Redshift Research.

The problem among 57% of the retailers questioned, related to difficulties in understanding what they needed to do to conform to the standard’s requirements. As a result, a worrying 25% were unsure whether they would be able to hit the mandated compliance deadline of September this year.

"If you’re holding six million card details and you’re only using 60 000, you could actually reduce your risk by 90%"
Robin Adams, The Logic Group

Organisations falling under the PCI remit fall into four categories; Level 1 – companies that process more than six million transactions per year, Level 2 – companies that process between one and six million transactions per year, Level 3 – firms that process between 20 000 and one million transactions a year, and Level 4 – companies that process less than 20 000 transactions a year.

The situation was particularly marked among smaller companies. More than half of Level 4 respondents across all industry sectors were unsure of what conformance involved, compared with zero Level 1 companies, who said they were all comfortable with the scenario.

One e-tailer that believes it has the situation fully under control, however, is Kiddicare, the privately-owned baby product supplier. The company employs 100 full-time staff and manages about £6 million of inventory each year. It is based in Peterborough, where it also has a bricks-and-mortar store and distribution centre, and its ecommerce website was launched in 1999.

The firm had formerly outsourced its ecommerce system to a third party, under a deal that included managing the website itself, processing credit card transactions, and ensuring PCI compliance. Kiddicare decided to bring the system in-house in 2007, however, as it wanted more flexibility in development terms so that it could respond to changes in the market more quickly.

As a result, the company developed a new system, with PCI requirements in mind, based on ecommerce solutions specialist Salmon’s Application Framework for Ecommerce templates, running on IBM’s WebSphere Commerce application server.

"Ensuring PCI compliance is about peace of mind as much as anything"
Barrie Ainsworth, Kiddicare

After this work was completed, the next step was to take out an annual subscription to Qualys’ software-as-a-service-based QualsysGuard Vulnerability Management and Policy Compliance offering. The service was used to scan the firm’s web and application servers, customer databases and firewalls for security issues, before generating a report detailing any issues that needed to be fixed. Following remedial action, the new ecommerce system went live in October 2007.

Barrie Ainsworth, head of IT at the retailer, says: “We had to ensure that the website and anything holding customer details was secure. Any compromises could mean damage to reputation and customers losing faith. Ensuring PCI compliance is about peace of mind as much as anything.”

The organisation has since set QualysGuard to scan for any potential conformance problems on a monthly basis, and the service also undertakes checks each time any element of the infrastructure is changed.

“You have to be methodical and check and double-check everything. PCI is a major part of our security strategy so we need to know that we’re maintaining compliance”, Ainsworth says.

The company does not hold customer credit card information on site, however, preferring to use the Royal Bank of Scotland’s Streamline card processing services. Its website is also hosted by NetBenefit and remote systems monitoring is undertaken by Salmon.

Shortcomings

Although e-tailing is a more ‘technology-heavy’ proposition than other retail channels – meaning that expenditure on information security products and services tends to be higher – Deloitte’s Morris suggests that e-tailers tend to be culturally less mature in security terms than the banking sector, for example.

“Online retailers are now starting to follow the best practice that the banks have already established around the security risks involved in storing customer data”, he says. “They’ve not got the same legacy culture around securing personal and transactional information and are still in the building awareness stage”, he continues. Morris admits that despite not being as advanced as banks, they are further down the security chain than other industries.

"Most people who are willing to do online shopping are implicitly expecting a high degree of information security from retailers"
Andy Morris, Deloitte

As a result, he is now starting to see more and more retailers build security demands into their procurement processes, develop more sophisticated staff education programmes and ensure that sales, marketing and customer service staff are all aware of what data can be collected and stored and what cannot.

One of the key shortcomings at the moment, however, relates to the creation of information lifecycle policies – whether they cover credit card details or customer loyalty card data – believes the Logic Group’s Adams.

“One of the biggest holes at the moment is in the area of legacy data. Online retailers tend not to be good at devising data retention and deletion policies, but if you’re holding six million card details and you’re only using 60 000, you could actually reduce your risk by 90%”, he explains.

One of the issues here is simply the “pure volume of information that’s held” and while the situation is starting to improve, “there’s a long way to go to being fully there”, he adds.

Protect your brand by securing operations

But as Andrew McClelland, a director at e-tail membership association the IMRG, points out, the increasing move from a former predominantly technical audience to a non-technical one is putting more and more pressure on e-tailers to protect their brand reputations by ensuring that their operations are secure.

As a result, the organisation, which runs the ‘Internet Shopping Is Safe’ (ISIS) accreditation scheme, is offering a range of online security tools to members in a bid to boost consumer confidence. Such tools include ensuring that the ISIS logo is validated as genuine on member’s websites using First Cyber Security’s Solid Authentication service in a bid to prevent phishing activity.

Under the ISIS scheme, which was first launched in 2002, an audit is undertaken to certify that members comply with the law and that they conform to a series of best practice requirements, such as having landline-based contact telephone numbers on their websites.

The IMRG now claims to have about 1200 members – the equivalent of two-thirds of the e-tailing market.

As McClelland concludes: “The bottom line to all of this is that it makes commercial sense in order to protect yourself from damage to reputation, brand churn and the like. So what it’s really about is enabling customers to shop with confidence, which is of benefit to everyone.”

What’s hot on Infosecurity Magazine?