It’s important in all industries to have strong cyber security that is cost efficient to the organisation and provides frictionless user experience. Working with identity and authentication in retail however has some striking differences from that of other industries. In addition to being subject to compliance requirements like PCI, the retail industry has unique challenges as a result of having to manage hundreds to thousands of locations across the globe. Some examples include:
Speed at the till
Applications requiring strong authentication cannot be hindered by time intensive steps. Especially when retailers are checking customers out during a holiday or sale rush it’s critical that no one leaves the store due to long lines.
Many retailers have a collection of home grown and commercial applications they have acquired over time. This creates a burden when accessing the different applications because users have an opportunity to forget not only one password but sometimes three, four, or more.
The cloud age has made applications available from almost anywhere. However, many retailers need tight control over where their employees are accessing these. If workers are using company applications from home off the clock, they could expose the retailer to liabilities for payment.
Online security and PCI
Many retailers not only have the challenge of protecting employee identities but consumer identities as well. Storing credit card information in consumer profiles makes life a lot easier for consumers but it also attracts bad guys.
There are several strategies retailers should look to employ when addressing these challenges. Utilising a flexible access control platform to help prevent the misuse of stolen credentials while eliminating costly inefficiencies and providing a good user experience is highly recommended. Approaches retailers have deployed include:
Strong authentication that doesn’t slow users down
Utilising adaptive authentication, where a combination of methods and factors of authentication are chosen according to each users risk profile and historical use, as well as device recognition, provides a great combination of security and user experience. This is particularly useful in a high pace environment to prevent needing to use one-time passcode (OTP), a unique or pre-registered piece of information that proves who you are, as users simply cannot endure the constant disruption to access equipment. It’s essential for retailers to choose an authentication vendor that provides flexibility, in order to meet such unique use cases; for instance many retailers clear the browser used on the POS each time it’s closed, creating a challenge if using cookies for device recognition. Flexible vendors will be able to perform device recognition with or without cookies to fulfil this.
Single Sign-On (SSO) is a huge convenience for users
Many retailers have a collection of applications used by their employees, and many of these applications have the ability to be centralised. Federating legacy applications allows retailers to standardise on a single identity and allow access to multiple applications without having to provide credentials every time (SSO). Coupled with strong authentication, this is a huge convenience to employees. Many vendors offer tools that allow organisations to do this without performing a complete refactoring of the application. Retailers should also ensure that they have Self-Service password reset functionality that can be used against a multitude of identity stores to reduce the password management nightmare further.
Control access by location to comply with laws
Controlling access by location is another important feature to avoid litigation from labour laws. Allowing administrators different access polices for employees connecting from a trusted network versus connecting over the Internet, enables retailers to ensure that workers can only access applications, even cloud ones, while they are clocked in at the store.
Flexibility to handle employee and consumer scenarios
Business to consumer use cases like ecommerce portals can require a very different set of capabilities than typical business to employee scenarios. Choosing a vendor that has a broad set of capabilities to allow application architects a tremendous amount of flexibility in how they incorporate strong authentication into their apps is essential.
Adapting to new PCI compliance mandates
Authentication is only a part of PCI compliance; however, regulations are set to change soon and require administrators to use two-factor authentication even when connecting to PCI systems from the trusted network. Every retailer must ensure they are on top of all of the latest requirements to protect their business and customers.
Protecting employee and consumer identities with identity and authentication without impacting business is possible and should be harnessed. Retailers have the opportunity to stay one step ahead and ensure all the data they host is kept safe.
Brian Bowden is solutions architect at SecureAuth