3 min read

Retail sector open for security VARs

According to research, about 20 per cent of retailers still use disk and file encryption software

Canadian retail executives believe online and Internet transaction processing will have highest area of projected IT growth in the industry over the next 12 months, according to a recent survey.But the poll, conducted by Ipsos-Reid on behalf of several point-of-sale resellers and ISVs, also revealed that Canadian retailers lag in IT security.
Eighty-seven per cent of the 500 respondents identified user names and passwords as their leading form of online security, although more sophisticated security methods are available.
The study also found only 20 per cent of retailers use disk and file encryption software, just 18 per cent use indentity management software and 14 per cent employ managed public key infrastructure (MPKI) and digital certificate authority systems.
Riza Chui, product manager for Toronto-based Soltrus Inc. — one of the companies that commissioned the survey — said retailers need to know more about protecting the personal information of customers. And if they don’t upgrade their IT security measures, the consequences could be catastrophic.
“They have a lot of information that criminals or malicious hackers want,” she said.
“Retailers have been very cognicent of physical security, but there might be a disconnect between IT security, or data security, and what the users know about it.”
Chui cited a few recent high profile cases of credit card theft in the U.S. to highlight the vulnerabilities retailers now face.
The most notable was a security breach at Polo/Ralph Lauren in which 180,000 holders of General Motors-branded MasterCards were advised to cancel their cards because their transaction data had been compromised. Security breaches at LexisNexis, Bank of America and shoe retailer DSW also grabbed headlines this year.
As Canadian retailers seek to upgrade IT security a wealth of opportunities are presenting themselves for vendors, resellers and ISVs, Chui said.
Among the emerging opportunities, Chui said, is Managed PKI, a VeriSign solution that allows encrypted messages to be sent from one party to another.
Another opportunity can be found in newly announced data security standards for the payment card industry (PCI).
The PCI standard, adopted in December 2004, is an alignment of Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP), and Discover’s Information Security and Compliance (DISC).

Detailed principles
The basic principles of PCI include implementing firewalls, keeping security patches up to date, protecting stored card/cardholder data, encrypting data across a public network, advanced password management, and comprehensive audit trails.
Steve Walker, product manager of store solutions for Toronto’s Triversity Inc., a provider of retail IT solutions, said it has put a number of new enhancements into its product in order to make their clients PCI compliant.
“One of the things required is password management,” explained Walker. “We now have it that you can specify if passwords have to be numeric or alpha, or alpha-numeric, certain lengths, passwords expiring after a certain amount of time, locking out a user if they try to log into the system a certain amount of times — things like that.”
Walker also said Triversity has added Triple DES encryption to encrypt all of its data, which is recognized as an acceptable PCI standard.
While retailers have to protect themselves from online hackers, many are also opting for greater physical security at the point of sale. The demand for biometric (fingerprint) technology is increasing among retailers, creating new opportunities for service providers.
Joe Caporella is president of Escada Canada, a high-end women’s fashion retailer with seven stores across Canada. He was reluctant to introduce the biometrics component of his company’s point-of-sale solution when it was first implemented a little over a year ago.
However, he’s now ready to activate the technology, which will require employees to scan their fingerprints before the cash register opens.

Held back
“We decided not to use it when we first implemented the system,” Escada said.
“The only reason was I didn’t want to be too intrusive to the staff. I wanted the staff to embrace the software and not be afraid of an infringement of privacy. Now that they’ve been using it (the new system) for a year and a bit, I’m putting it in.”
The Escada POS solution was built by Montreal-based Raymark using a Microsoft .NET. His decision to activate the biometic aspect of his POS solution, Caporella admits, is driven by his desire to be as secure as possible.
“It becomes a business practice issue more than a technology issue, in my opinion,” he said. “If we decide to turn off all the security features, then big deal about security if we don’t use it.”
Beyond the physical implementation of security solutions, Soltrus’ Chui thinks resellers must teach customers about sound IT practices.
“Retailers really need to educate their employees in understanding that IT networks, IT systems, data networks, have to be looked upon in the same way as securing their physical stores, like locking the store door at night or monitoring warehouse operations, or just closing down the cash register,” she said.