Posts Tagged ‘retail’

Will Target Breach Prompt Retailers to Raise the Security Bar?

January 8th, 2014

Did 2013 have to end with the somber news of a big credit card security breach? But it did! It is reported that 40 million credit cards were compromised in the security breach in stores of a major U.S. retailer Target. This is only a shade second to the earlier TJX breach in which 45 million credit cards were compromised. (After this blog was published, it was reported that the number of affected accounts in the Target breach is as high as 110 million, which would make it more that double the TJX breach!)

After any breach, and surely after the breach of such dimension, discussion on the data security issues at the retailers escalates. Earlier, the TJX breach resulted in stricter wireless PCI (Payment Card Industry) compliance requirements. The current Target breach can also trigger tightening of the compliance requirements. This breach may also prompt IT, security and compliance managers at major retailers to take a hard look at the information security aspects of the various technologies that they have deployed. Add to it the fact that retailers are aggressively deploying mobile and wireless technologies like POS, kiosks and tablets in stores. What are some of the core issues they should be looking at?

Don’t be content with “compliance”, demand “security”!

Retailers in these types of breaches often pass the security audits like PCI with flying colors. That exposes the harsh reality that security is distinct from compliance. 2014 is the year of the world cup soccer (football). So let us use soccer analogy to understand this distinction.

Compliance vs security, wireless PCIWhen you are defending a free kick in soccer, you make a wall and your goalkeeper is on alert to block the ball that could go through or around the wall. No soccer team would be comfortable with a sole reliance on the wall and allowing the goalkeeper a break during the free kick. The wall is like “compliance” – it’s one line of defense.

Retailers work hard to get check marks from auditors on their PCI compliance. Vendor marketing does a good job of selling features that help get those coveted check marks. Compliance does help improve the security posture, but is it adequate? Every now and then, this line of defense is breached and if the goalkeeper isn’t standing behind the wall, you are toast! However, if you demand security in addition to the compliance check marks, you can build that inner line of defense.

How will you know if you have the inner line of defense or not?

That is a hard question. One way to answer it is that whether you have it or not depends on the compliance solution you have chosen. If you are using a solution which has compliance reporting bolted on to meet the compliance standard in letter, you probably lack the inner line of defense. On the other hand, if your solution offers PCI compliance as a natural outcome of the strong security fundamentals, you automatically get the inner line of defense.

I can testify to this dichotomy from my experiences with the wireless PCI compliance standard and solutions that are touted to facilitate meeting that standard. Many Wi-Fi vendors have come up with bolt-on WIPS (Wireless Intrusion Prevention System) features with check mark PCI reporting. The real question to ask is: While these systems generate PCI reports in letter and may please your auditor, will they pass the security scrutiny in spirit? So, what are some of the questions you should be asking when scrutinizing the wireless PCI solution to ensure that you are getting the security in addition to the compliance?

  • How much of the security information that the PCI report contains is based on actual scanning of the environment? I have seen many PCI reports based mostly or even entirely on the Q&A type documentation or PASS/FAIL check marks merely based on what feature configuration in enabled in the system. That is fail on security.
  • Is threat scanning 24×7 or is it only occasional spot scanning? PCI does not require 24×7 scanning. It only requires quarterly scanning, but didn’t we just say that we are not interested in mere PCI check marks, we want security. Notably, entire Target breach occurred only over 3 weeks – that is much smaller period than a quarter!
  • Does the scan merely throw raw data at you or does it filter out genuine threats so you can actually act to mitigate them? All too often, I have seen wireless PCI reports simply document all APs seen across all locations to satisfy the so called rogue AP scanning requirement. So, if the report shows 10,000 APs found in of the scan of 100 remote retail locations or 100,000 APs found across 1000 remote retail locations, how in the world are you going to distinguish threat posing APs from this list? If you can’t, this report will meet the PCI clause in letter, but fail miserably on improving the security posture.
  • Is the solution capable of detecting all types of vulnerabilities? For example, can it identify various types of rogue APs? If it only can identify a few types of rogues (such as rogues with correlation between their wired and wireless MAC addresses – so called MAC adjacency), how can you trust that report since there could be unidentified rogue APs connected to your CDE (Cardholder Data Environment) among the large number of APs detected during the scan?
  • Is the solution capable of automatically containing the identified vulnerabilities? Although automatic mitigation is not a PCI requirement, in large nationwide deployments, automatic containment is a requirement for security. Automatic containment reduces the window of vulnerability. Moreover, automatic containment has to occur without  false alarms which can disrupt your  and neighbors’ legitimate operations.
  • Is the solution certified against security standards other than PCI? Again, this is not a PCI requirement, but it meets the litmus test of strong security fundamentals of the solution.
  • Is the solution capable of full security operation at the store level without critical dependence on WAN links?

Does security have to cost more than compliance?

Again, the answer depends on the compliance solution you have chosen. If the solution has PCI compliance reporting bolted on to check against clauses in the standard, you will probably have to add security on top of it, paying considerably more from a total cost of ownership perspective or continue to carry the risk of a breach. On the other hand, if the solution offers PCI compliance as a natural outcome of the strong security fundamentals, you can get security without the extra effort or cost.

With Airtight, there isn’t a chasm between compliance and security

AirTight provides a wireless PCI compliance solution that also meets the critical security criteria. Central to AirTight’s solution is its best in class wireless intrusion prevention engine, the only one today to earn the highest industry ranking. It excels both in the depth of security and the ease of use at the same time – due to core innovations and patented technology. So with this PCI solution, retailers can enjoy the same level of security that financials, governments and defense organizations demand without the additional complexity and cost.

In order to simplify the deployment and management across 100’s or across 100’000’s locations, AirTight provides cloud managed PCI solution with its plug & play APs/scanners in stores and centralized management console in the cloud. In fact, it was the first to launch such a solution when wireless scanning was added in the PCI standard after the TJX breach in the past.

24×7 wireless PCI scanning and WIPS are an intrinsic part of AirTight’s Secure Wi-Fi offering and is provided at no extra licensing cost. It also offers pure OPEX pricing model for its solution to further alleviate the cost burden. Moreover, retailers can also leverage AirTight’s social Wi-Fi and business analytics built into its retail Wi-Fi offering to increase brand following, recruit into brand loyalty programs and offer secure guest Wi-Fi services in stores. It can’t get better than that!

Wishing you a happy and SECURE 2014!

Upcoming events

Meet AirTight at NRF14 on Jan 13-14 and at ACTS event on Jan 15.

Tune in to AirTight’s technology sessions at WFD6.


Best practices, Compliance, PCI, Retail, Wireless security , , , , , , , ,

The Holy Grail of Retail

January 2nd, 2014

In the retail market, the current Holy Grail is to unify the online and in-store shopping experiences (sometimes called ‘omni-channel’ retailing) such that the customer has a personalized shopping experience that promotes brand loyalty. The customer experience should be enjoyable and personalized, with available contextually relevant and timely information that makes interacting with the retailer effortless and transparent.

Technology Is Here
Will every salesperson know your name in not so distant future?

Will every salesperson know your name in the not so distant future?

The technology now exists to enable such capabilities, and retailers can drive a new generation of brand awareness and loyalty programs. The new focus will be on growing the business while leaving behind the worries of showrooming and shrinking margins.

Since the technology is here, why then isn’t every major retailer making a move toward the Holy Grail at a break-neck pace? Why can’t I walk into my local electronics store, expecting this guy to walk up to me with an iPad, and…

“Hi, I’m Jason. Welcome to Electro’s! Glad you’re here again, Mr Thompson.”

“Hi Jason. How did you… Uh, nevermind. Nice iPad.”

“Thanks. Company issue device. Your phone told me… neat, huh? So, how may I help you today?”


“Oh, sorry. Allow me to explain. Our wireless system identified your phone by its MAC address, which is tied to our loyalty program, which you enrolled in last year. Our CRM system told my iPad that you entered the store. Since my iPad and your iPhone are obviously acquainted, is it OK if I call you Fred? Great, thanks. So Fred, if I were to mention that we have the Riad Wireless BL2009 802.11ac USB 3.0 adapter that’s in your Electro Online Wish List available here in the store, would that interest you today?”

“Well Jason, let me think about that for a second…. uh YES! How cool is THAT?”

“I kind of thought you might like that. I’ll have it pulled out of stock and taken to register 7 for you so that you can continue shopping. Is there anything else that I can help you with today?”

“Actually, yes. Do you have any more of those BL2009 units in stock here at this store?”

“Sure. We have three more. We correlated your Wish List with that of hundreds of others in the area and decided that it would probably be a good idea to stock a few of them just in case. I guess that turned out to be a good idea.”

“Fantastic. I’ll log into your guest Wi-Fi and let my peeps know that Electro has three more units. I bet they’ll be sold by the end of the day. They’re really in demand among my friends. Thanks for your help Jason.”

Wait… wait… wait… No! Not reality! Oh well… now that we’re back, where were we? Ah yes, that break-neck pace discussion. Is anyone else seeing retailers reaching an semblance of the Holy Grail yet? Are you having out-of-this-world, converged retail experiences yet? If not, have you considered why?

Where’s That Business Model Redesign?

When I walk into any kind of retailer, whether big-box discounters, restaurants or QSR, department stores, supermarkets, warehouse retailers, specialty shops, convenience stores, or any other, I’m just not seeing very much forward momentum. Jeff Roster, Gartner’s retail practice lead, said in a recent webinar that the retail industry would require “Business Model Redesign” due to the impact of Gartner’s “Nexus of Forces” (essentially the SMAC concept that AirTight talks so much about). I guess that business model redesign process is going more slowly than hoped-for with most retailers… What do you think?

  • Perhaps “break-neck pace” is relative, and my expectations are ridiculous?
  • Could it be lack of funding in the retail sector?
  • Maybe it could be a shortage of technical expertise among retailers?
  • A lack of motivation perchance? (e.g. they’re making lots of money with no competition)

No. I wouldn’t guess that it’s any of these reasons. Where I think the problem lies is with 1) operational implementation, and 2) organizational unity. You know what they say, “If it were easy, everyone would do it.”

In part 2 of this post I will discuss the operational implementation and organizational unity in greater detail. Stay tuned!

/Image via Wikimedia Commons

Retail, WiFi Access

Attention Retail Marketers: In-Store Shoppers are Changing. Are You?

May 16th, 2013

Brick and Mortar Standout|

To say that mobile technology is impacting brick-and-mortar retail is akin to proclaiming at the turn of the last century that the motorcar just might change the horse-drawn carriage business. Shoppers today are empowered by technology to gain the advantage at every turn, whether it’s using a smartphone to find the best price for the same product online, locate out-of-stock sizes or colors in the store next door, or learn what their friends or other customers had to say about a product before they buy.


Retailers have two choices.


They can pretend this isn’t happening and actively try to discourage these new consumer behaviors, like not offering in-store Wi-Fi for fear of increased showrooming (see Free Wi-Fi is a Win-Win for Retail Marketers and Customers ). Or, they can listen to their customers and do everything in their power to meet their changing needs and expectations.


IBM Retail Study: From Transactions to RelationshipsSo what do these empowered consumers want?


According to the recent IBM study, From Transactions to Relationships: connecting with a transitioning shopper, what they want is a personalized in-store experience that not only mirrors the experience they get with online shopping, but is seamlessly integrated with their on- and offline shopping habits, preferences and history.


“Consumers are increasingly gravitating toward shopping experiences that allow them to be served according to their individual preferences,” states the report written by Kali Klena and Kill Puleri.


They then go on to outline the three key factors that retailers must address in order to capitalize on the changing behavior of the transitional consumer:


1.   Store dominance decreases in an omnichannel world


“The long-standing center of retail commerce, the brick and mortar store, is rapidly losing its appeal as customers turn to convenient online channels for their purchases.” This is not to say that the physical store will soon be going the way of the horse and buggy. While e-commerce is a legitimate threat to physical retail, it still represents only a tiny fraction of the overall retail market — 5.4% of total revenue to be exact.

No, the real threat to brick and mortar is decreasing customer loyalty in a world rich with choices, literally at the consumers’ fingertips. According to the IBM study, while 84 percent of respondents made their most recent non-grocery purchase in-store, only 56 percent said they were sure to return to the store for their next purchase.


2.   The impact of showrooming


Showroomers—those who use mobile devices in-store to research and often purchase lower-priced items online—may be a small (but growing) segment of the consumer population, according to the IBM study, but they have a grievous impact on in-store revenue. Showroomers made nearly half of all online purchases in the retail categories covered by the IBM study. Most chilling: twenty-five percent said they initially planned to buy in-store, and 65 percent plan to buy online for their next purchase.

showrooming figure 4 from IBM Retail Report


3.   Consumers desire more meaningful retail connection points


In this burgeoning world of location tracking, web, retail and social Wi-Fi analytics, one might think that consumers would be overly sensitive to a loss of privacy. On the contrary, they want retailers to know even more about them and their buying preferences. In fact, the IBM study states that

“the majority of shoppers were willing to contribute 20 minutes on average to help a retailer better understand their desires in order to provide them with more meaningful offers based on their past purchases.”

The key is to make sure you are using the data you collect to treat customers like individuals, not as a market segment, by providing personalized offers, tips and information.


What to do about it


The IBM study provides many more insights and next steps for retailers, and we highly recommend you read it. One tip that we at Airtight Networks agree with wholeheartedly:


AirTight Networks on-demand webinar“Technology will play a key role in helping retailers use this trend to boost loyalty and sales. As retailers start to offer customers free Wi-Fi access in their stores, they will have the opportunity to engage with customers while they are browsing the displays, by branding their Wi-Fi to drive shoppers to their own websites and services. And if customers give permission for their location to be tracked via their smartphone as they sign on to the Wi-Fi network, retailers can use analytics to make sense of this data and provide shoppers with personalized deals to drive conversion.”


Parting Thought


horse-drawn buggies riding into the sunsetIf you’re still worried about embracing the very technology that is threatening your business, I leave you with the story of William Durant, co-founder of General Motors and Chevrolet. Initially, he was highly skeptical of the gas-powered “horseless carriage,” thinking them so dangerous he wouldn’t allow his daughter to ride in one. He wasn’t alone. By 1900, there was an enormous public outcry for safety regulations. Rather than wait for the government to intercede, Durant embarked on a mission to build the safer machines consumers were demanding. He succeeded by listening to transitioning consumer expectations and embraced technical innovation head on. (For the record, prior to the revolution he helped bring about, his Durant-Dort Carriage company was the leading producer of horse-drawn buggies in the world.)


Additional Information








Best practices, smartphones, WiFi Access, Wireless security ,

To shop or not to shop, in-store Wi-Fi is the answer to that question

April 22nd, 2013


Did you know that 80% of mobile consumers are influenced by in-store Wi-Fi as a factor in deciding where they shop?


By Lina Arseneault

In early 2013, IDC issued the updated version of its IDC Retail Insights report outlining the top 10 predictions for the world-wide retail industry.  One of the report’s authors is retail research director Leslie Hand.  She and I recently met at IDC’s Directions annual conference in Silicon Valley to discuss the recently published report.


Most of our discussion centered on the first four predictions from IDC’s top 10 predictions list.

IDC Retail Insights 2013 TOP 10 Predictions

  1. Omnichannel Retail Maturity Will Move from Foundation to Convergence and from Precision to Immersion
  2. Retailers’ Omnichannel Objectives Will Require Platform and Architecture Investments
  3. Retailers Will Invest in Customer Analytics, Merchandizing, and Marketing Technologies to Curate Commerce and Contextualize Communications
  4. Retailers Will Pivot Merchandizing and Marketing on Customer Analytics to Drive Revenue and Profit, Relevance and Reciprocity Being the Watchwords



RSR Research and AirTight Discuss the Benefits of In-store Wi-Fi

Webinar: Wi-Fi as a Competitive Retail Advantage | Date: April 30,2013 Time: 11 AM Pacific

Register for the webinar


Leslie and I agreed that consumers are forcing retailers to act faster than they traditionally have and that this type of pressure is only likely to increase.  Digital and physical interactions are increasingly intertwined and consumers are demanding that retailers engage with them on these terms.

Retailers are realizing that knowing more about their shoppers can be the key to building relationships and boosting sales.


Retail Motion Infographic

Retail Motion Infographic


80% of mobile consumers are influenced by in-store Wi-Fi as a factor in deciding where they shop


View our Retail Motion Infographic



Retailers serious about meeting the customer expectations challenge head on can make continuous nurturing refinements based on  retail analytics.  Savvy retailers will need to make the most of their Wi-Fi networks to not only drive sales but also to build up CRM programs.

Leslie and I rounded out our conversation by touching on AirTight’s experience in working with PinkBerry, the five year old Los Angeles based Brand best known for its highly popular handcrafted yogurt bar. Central to the PinkBerry promise is the belief in the power of human connection.  Accordingly, the driving force behind PinkBerry’s Wi-Fi deployment was the launch of The Pinkcard, PinkBerry’s loyalty program and mobile app; as well as requests from store customers and owners for Wi-Fi access services.  The company exceeded its three-month goals in just one month.

Pinkberry - AirTight case study




Read the PinkBerry case study




I can think of no better way to close our this blog post than by letting (virtual) Leslie Hand touch on the new retail paradigm and the opportunities it presents.

View the YouTube video, Mobility: The New Retail Paradigm by Leslie Hand.


Additional Information:

Note: A version of this blog was originally published as a guest post for the PurpleWifi blog.

PCI, WiFi Access, Wireless security , , ,

Forbes – “stores are finally turning to WiFi” but is security lacking

December 14th, 2012

Really interesting article in Forbes by Verne Kopytoff on the reasons retailers have recognized the value of Wi-Fi for their customers and business processes. He notes that after years of resistance, stores have conceded that the shoppers have won the war. They want Wi-Fi and they will use their smartphones to check out deals.

There is no doubt that Wi-Fi has many positive effects on the shopping experience and, I would suggest, those effects outweigh the negatives of comparison shopping online in a store. There is also the obvious benefit of making sales associates more efficient and able to serve more customers faster.  Anyone who has ever gone into an Apple store near Christmas – and really who has not – has experienced just how fast one can get in and out even in a crowd.

However since retail stores have been late to this party, they need to think about the security implications of adding Wi-Fi and continuing to comply with the PCI DSS wireless scanning requirements.  Kopytoff points out that several large retailers added Wi-Fi capabilities just before the holiday season, which is unusual in and of itself since retailers rarely want to disrupt their systems too close to the holidays. In haste, they may have overlooked adding true Wi-Fi security processes to protect credit card data. It will be interesting to see if any problems arise during this season of manic shopping.

smartphones, WiFi Access, Wireless scanning, Wireless security , , , ,