Keeping the Airwaves Safe

As hand-held wireless technology has improved, so too has the desire of retailers to use these devices to boost sales opportunities, whether by adding temporary sales stations or by increasing the flexibility of existing locations.

But recent discussions about protecting customer privacy and payment information have raised concerns about the security of wireless devices. While most retailers have built strong firewalls around the back-end systems that contain this information and taken aggressive steps to protect information collected by their traditional POS systems, dealing with the data collected and disseminated by the wireless devices has remained a challenge.

For the Navy Exchange Command (NEXCOM), the solution has come in the
form of a VPN security software system developed by Columbitech, headquartered in Stockholm, with U.S. operations based in New York.

With 344 stores located on 107 Navy installations around the world, NEXCOM provides merchandise and services to active duty military, retirees, reservists and their families. It needed to develop a secure VPN tunnel to operate between its legacy DOS-based mobile hand-held devices and the wired local area network utilized in its distribution centers and retail stores.

“This allows us to leverage the investment we had already made in the mobile devices while also providing operational functionality with needed wireless security,” says Kean Westcott, senior vice president and chief information officer for NEXCOM.

The Columbitech security system currently is being used on mobile computers in nine retail stores and eight distribution centers and warehouses to meet the requirements of the Payments Card Industry. PCI standards address security issues related to firewall protection, cryptography, user authentication and password management and two-factor authentication for remote access.

The Columbitech system provides secure wireless access through mutual authentication and encryption of data, which is a requirement of PCI compliance. It also facilitates roaming between networks and the compression of data. The mobile VPN is integrated with the operating system and automatically logs back on to the network if a signal disappears or the mobile computer goes into sleep mode. The suspended session is then recovered, and any data transactions are immediately resumed to save time.

The system has allowed NEXCOM to utilize existing mobile devices to transmit sales data between the stores and warehouses without worrying that such data could be intercepted by outsiders. “We also gained the ability to log the user access to the network,” Westcott says.

Implementation of the system, which includes the analysis, procurement, engineering, testing and deployment stages, took about five months, Westcott says.

Back-office integration
To make the LINUX-based system work, NEXCOM purchased the Columbitech application server and client software, as well as server hardware for each site. Integration with the back-office systems was minimal, Westcott says. “Once the connection was made between the hand-held device and the Columbitech server, the back-office systems were unaware that anything had changed from a network standpoint.”

Columbitech’s system has been licensed on more than 1.5 million devices which, in addition to retail, include defense and manufacturing applications, says president Asa Holmstrom.

Retailers are looking to use laptop computers, smart phones and other wireless devices to complete sales transactions. Such devices allow them to add sales lanes during special promotions or conduct sales in locations where traditional land-based phone lines are not available, such as parking lots.

The technology is also applicable for home sales companies and other retailers that operate outside the traditional land-based transmission environment, Holmstrom says.

In the past, providing for the security of data transmitted on wireless devices “was a concern,” Holmstrom says. “In some cases, retailers simply hoped nothing would happen.”

NEXCOM had previously used some encryption and took some additional security measures, but it found the Columbitech technology to be more secure, Westcott says.

Wireless security essential
“Wireless infrastructure and mobile computer systems are becoming essential for retail business,” Holmstrom says. “The power of these technologies can be translated into instant productivity gains. However, this power may be counterproductive if a company’s wireless security solution is insufficient.”

Another problem for many retailers concerning wireless security, Holmstrom says, is that they frequently use a variety of devices with different forms of encryption and security measures. “You have a variety of applications and systems running at once with many different firewalls. You end up with a Swiss cheese type of security — one with a lot of holes — and you’re really not secure.” Columbitech covers all the devices running over the system.

In addition to securing payment information, many retailers are extending the use of the Columbitech system to securing inventory data, Holmstrom says. Many stores use wireless devices to track inventory, then transmit the data to the back-office systems. “This is often sensitive information and you are leaving a door wide open if you do not secure” it, she says.