First, people tend to interpret surveys in a much too generous manner. Is the surveyed person saying what they want or what they're likely to get? Or—please forgive the cynicism—they will often give as answers the results they want their bosses to read in the final report.
Let's set all of that aside for the moment and assume that the results are actually going to happen. (Even IHL President Greg Buzek said the results were about twice as high as what he expected.) Are retailers ready for a flood of these devices in the hands of associates?
"I have some concerns that retailers haven't thought through the security impacts of these tablets. Everything in PCI has been focused on the payment device, tokenization and end-to-end encryption. How does that play out in a world with all these touchpoints?" Buzek asked. "Everyone wants to emulate the Apple Store, but not everyone can ignore the legacy issues."
The IHL Report should serve as a massive heads up. Here are just a few terrifying thoughts to chew on:
You're placing into associate hands a machine that is entirely customizable. It can download thousands of independent applications, with a lot more coming. These are untested and certainly unsecured. The only thing they are not is underpowered. OK, they're also probably not being monitored or managed in any meaningful way.
This goes way beyond viruses or worms piggybacking on a game. We're talking about applications that could specifically be designed to break into your system, once you have kindly granted it POS and other internal accesses.
Let's be nice and pretend that none of your associates would try and take advantage of you this way. Wireless is intended to be the ultimate customer-service boost, right? On that optimistic note, what happens if, at any of your locations, roofs, walls, thunderstorms and 50 other things interfere with your wireless signal?Is wireless access a great value-add, or is the new system being built to only function when there's a strong signal?
When the signal does work, are there plans to secure the devices? Assuming there are such security plans, can they be undone by store associates with accomplices?
Years ago, there were fancied-up dumb terminals called X-Terminals. Their chief asset? IT was confident that no employees could do a darn thing with them other than perform their jobs. Customization and personalization are great, unless you're in charge of IT security.
Mobile payment will be a huge bright spot for retail technology—in about five years. Until then, the streets will be littered with the fired bodies of thousands of IT pioneers who championed mobile payments back in 2011.
PCI has barely come to grips with wireless and has officially chosen to not decide on mobile payment, leaving such validation for others. That hasn't stopped vendors from announcing mobile payment applications galore, though.
How confident are you that card data isn't being stored, given the iPhone's tendency to remember just about anything it wants? Even PayPal's iPhone team got hit.
It's not merely an issue of the machine retaining the data. It needs to transmit the data for approval. And once approved, issue a receipt. Will the machine retain receipt copies? How aggressively have you tested this in the field? Have you conducted some of those tests under the watchful—and CYA-oriented—eye of your QSA?
The very nature of payments is dangerous. We have more retailers planning to use the newest and least tested hardware with live payment processing? Why not do it on something comparatively safe and well-tested, such as an Android smartphone?