What Happens When the Lights Go Out?


Driven by the high-profile data security breaches at global retail brands (Target, Michaels, etc.) over the past 10 years, directors across all retail verticals have elevated data security to a top priority of their organizations.  As a result, maintaining the confidentiality and integrity of PCI, PII, and sensitive corporate data has become a primary focus of retailers’ cybersecurity teams.  While this development is a positive trend in protecting retail brand reputations, other aspects of cybersecurity have received less attention in recent years – one of those being the operational availability and integrity of business-critical systems.

Why It Matters

Traditionally, there has been a significant focus on maintaining these systems.  A driving factor for this was that  it was easier to identify and evaluate these systems:

  • Customer- and store-facing applications – such as POS systems and websites – that enable sales and store operations
  • Back-office applications – such as ERP systems – that ensure continuous operations across an organization’s core business processes

As modern organizations have embraced a “lean methodology,” the role of external service providers and automation have become more important components of business operations. This exercise in optimization has blurred the lines between internally and externally managed systems, and as a result, increased the complexity in monitoring and maintaining them – an issue that many organizations have failed to address.

Interruptions and degradations to the availability and integrity of business critical systems represent significant risks to many, if not most, retailer’s operations:

  • Merchant Acquirer Downtime: For nearly all merchants, electronic payment processing represents the largest method through which product is monetized.  For those merchants that leverage a single merchant acquiring relationship, disruption of service at the merchant acquirer (through a Distributed Denial of Service attack, for example) represents an immediate, critical impact to company cash flow.  Just a few hours of downtime in the ability to process payments can cost merchants millions of dollars in lost sales and even more in brand reputation.
  • Inventory Monitoring Inaccuracies: New Internet of Things (IoT) monitoring devices and the analytics solutions for inventory management behind them allow retailers to optimize and reduce inaccuracies in supply chain management.  This, however, has created a dependency on these solutions to maintain optimal levels of inventory to continue sales operations.  Attacks that interrupt or impede the performance of these devices (botnet software consuming all available compute or network resources, for example) prevent complete, accurate inventory data from arriving at retailers’ home offices.  Decisions then made upon incomplete and/or inaccurate data at scale can cause significant inventory overages or shortages, creating immediate downstream impacts.

While we only discuss these examples above, there are many more scenarios that represent similar levels of risk within any large merchant.  Acknowledging the risks that the operational integrities and availabilities of these systems pose is a key first step in charting a path forward to accurately mitigating these risks.

Where We Go from Here

By no means is this a “doom and gloom” scenario.  Many retailers have acknowledged these gaps and have addressed them accordingly within their cybersecurity strategies and operations.  However, for those that have yet to do so – and even for those retailers who believe they have done so – here are three initial steps that can be taken:

  1. Define a framework by which the business criticalities of all current and future IT systems are evaluated. You cannot enhance your cybersecurity strategy to address the issues outlined above without first understanding the full breadths of the issues.
  2. Enhance your cybersecurity strategy for (1) identifying and reacting to existing gaps and (2) proactively identifying the business criticality of and building controls to protect the integrity and availability of any new critical system added to your environment. The enhanced cybersecurity strategy should also include best practices for procurement groups when selecting an external vendor(s) to provide business-critical services.
  3. Review and enhance business continuity plans (BCPs) in the event of service interruption or degradation. This should be inclusive of both internally and externally managed critical systems and should integrate with any externally-defined BCPs.

By taking these initial steps above, retailers can begin to address some of the key risks that system service interruptions and degradations represent to their organizations.  From there, including these strategies as a pillar to your organization’s larger cybersecurity objectives going forward will allow your organization to effectively mitigate these risks now and in the future.

For further discussion, contact Patrick at ptraycroft@wcapra.com.

Surviving the Next Retail Tech Revolution

How to Avoid Being a Casualty of the Digital Revolution

Many retailers looking to differentiate their brand will tackle the risk of becoming early adopters of new in-store technology. Other retailers will play the more cautious angle of waiting to implement new in-store technology until the difficulties associated with launch are ironed out. Regardless of approach, all organizations are subject to the truth that evolving technology alters the landscape in which they operate.

With the first big wave of online sales environments like Amazon and eBay, we witnessed major retailers begin to close their doors—we think of now-historical examples like Blockbuster or Borders, once market leaders in their respective industries that failed to anticipate, plan for, and react to technological innovation. Learning from the past, it’s now generally accepted that a digital presence is required as a license to operate. However, this does not mean vendors that have gone digital are inherently safe from evolving technologies.

What Will Be the Next Retail Revolution?

For years now, we’ve spoken of omnichannel. We’ve seen elements of omnichannel in practice, but the idea of the complete merging of physical and digital engagement has not come to fruition. Retail is in the process of another revolution— once again, those that cannot properly anticipate, plan for, and react to oncoming technological changes will be left behind.

Digital technology in the physical store offers tremendous advantages to retailers looking to gain insight about their customer and capitalize on engagement. Beyond collecting data, technology allows retailers to further differentiate in-store experiences, creating consumer interactions via touchscreen kiosks, robot assistants and personalized interfaces. Remember “Pokémon Go”? Geo-location allows for customized, time-sensitive offers that allow retailers to capitalize on a beneficiary capacity of new and engaging applications. New mobile payment solutions allow for a truly frictionless experience, offering the consumer the ability to experience and interact with brands as they choose.

Shocks to Employment

Soon, the above-mentioned in-store technological advances will no longer be differentiators—like online sales channels, they will become minimum viable solutions in the competitive retail ecosystem. From a resourcing perspective, these changes, on the surface, all point to the decline of employee resourcing.

Self-checkout has become a dominant force in channels that historically relied on human engagement—convenience stores, tabletop ordering in restaurants, scanning while shopping in large retail stores. Already, an increasing portion of the consumer population has migrated to mobile banking. Millennials in particular have been recognized as a generation that has never handled physical checks, stepped foot into a bank or interacted with a teller. Every day, millions of working Americans order morning coffees on their smartphones, pay via in-app payment acceptance, and pickup their prepared orders without ever interacting with the coffee shop’s employees.

Across retail spaces, we see trends of faster promised delivery times, necessitating more warehouse space. This increased warehousing leads to fewer physical locations, which, in turn, leads to fewer employees.

Looking Forward in a Changing Retail Ecosystem

On the surface, it’s easy to imagine the sci-fi version of the future in which human resources become obsolete. However, as the physical and digital complete their merge into omnichannel, we can’t forget that human resources cannot be substituted for. Even Amazon, who many may argue acted as the catalyst of the first digital revolution, has perceived enough value in brick-and-mortar to warrant the opening of physical stores.

As we transition into a true omnichannel environment, front-line employees will be the number one determinant of whether consumers engage with in-store technology. These employees will perform essential functions of guiding consumers to the technology, instructing consumers on proper and optimal use, as well as ensuring the technology remains clean, attractive, and functional. Customer service is perhaps more important now than it ever was—as retail technology increases, the barriers for a consumer to migrate to a competitor have all but dissipated. The most successful retailers will be those that find a new need for employees beyond product management or cashier work, those that are able to cultivate an employee culture that can serve as a reliable differentiator as the revolutions continue.

For further discussion, contact Daniel at dkahan@wcapra.com.

ePOS Software Release Testing: How much is enough?

Recently, a customer asked me about the required level of testing to perform for a new build of ePOS software. My response was “It depends on what changes were made”. The response seemed to baffle some in the meeting because of the commonly held belief that every new software build requires a full round of testing. I stated to the customer how most companies avoid wasted dollars and resources by wisely determining what level of testing is needed based on various inputs.

To clarify my position, I explained how testing everything each time a new software build is released would effectively make the new build obsolete before testing is complete. To prove the point, I laid out the scope of testing required to accomplish a full test:

  • All EMV card brand certification scripts
  • All network host test scripts
  • All client test scripts
  • All custom workflow test scripts

Once we built out the timeframes for conducting these tests, it became clear why the answer to the testing question is “it depends on what changes are made.”

But the bigger question is how in depth should testing be with each iteration of software? In order to make that decision, it is necessary to understand the level at which the software is being received. Is this code delivery meant to address new functionality (like EMV) or to transition to a new message specification (like ISO 8583), or is meant to address minor fixes? Understanding the scope of changes and the potential impact is necessary to develop an effective testing strategy. To make matters worse, it is often difficult to decipher exactly what has changed — sometimes changes are documented in formal release notes, other times the documentation for these changes needs to be coaxed out of the dev team.

This is where the knowledge of the Quality Analyst comes into play. The Quality Analyst can lend valuable insight into making decisions around testing strategy and design.  Knowledge of past performance of the ePOS vendor’s software functionality and areas where the vendor was “weak” play into identifying the scope of testing. A deep understanding of the functionality of the ePOS in relation to the changes and enhancements is critical. Knowing this can be used to determine the level of regression testing to perform. For example, if a vendor has historically had issues with functionality related to sending a client specific mail message, then that should be tested on every build that the vendor provides. This is where the role of the Quality Analyst becomes part science and part artform.

In any cases, there must be criteria established in order to identify whether further testing of the build is required. A basic functionality test – sometimes called a smoke test – is used to determine if the software can perform basic functionality. This can include (but is not limited to) performing tests that validate:

  • Acceptance of all supported payment types and entry modes
  • Acceptance at all relevant channels (front counters, kiosks, fuel dispensers, self-checkout lanes, etc.)
  • Ability to download/modify device configurations
  • Accuracy of network and sales reports

If the build fails these basic tests, the software should be rejected.

In the end it is important to realize that ePOS testing – and for that matter testing of any software – cannot be a canned, one size fits all product. Consideration of the functionalities of the software, the scope of changes in the software build, and the track record of the vendor all play a role in the design and decisions of the testing cycle. The decision to limit testing prevents the company from wasting valuable testing resources and provides a more definable approach to ePOS software release management.

To discuss further, contact Bill at bill.woodard@wcapra.com.