Amazon to Open up Payments Gateway?As Offline Retailers Increase Online Sales, New Risks Arise
Is Amazon India on the verge of extending its online payments gateway to offline sellers and kiranas, the country's mom & pop shops? And if so, what are the potential business implications and security risks for Indian organizations?
See Also: NIST Guide Aims to Ease Access Control
According to a report from Times of India, Amazon India is following Amazon founder and CEO Jeff Bezos's strategy to get small offline businesses in India onto the digital platform. The plan, industry sources say, is for Amazon India to rope in offline sellers listing on its price comparison website Junglee.com.
And while Amazon's corporate spokesperson would not confirm this initiative, industry sources described the plan broadly to the Times of India. The goal, sources says, is for Amazon India to broaden its footprint through online and offline sales simultaneously. There is no specific timeline attached to this initiative.
In response to this notion of expanding online payments in a culture that has been averse to such, security leaders offer mixed reviews. While they perceive business benefits to increasing online payments, experts do not rule out increased risks and security issues. They recommend a good IT governance structure, use of 128 bit SSL, good change management practices along with strong user ID and authentication.
"Amazon's initiative is good from a business standpoint," says Bangalore-based CN Shashidhar, InfoSec professional and past president of ISACA-Bangalore. "But offline retailers not exposed to best security practices in online transactions on a global platform could throw up challenges."
Currently, according to Times of India, Amazon offers its payment gateway through Junglee.com only to online sellers, and it is said that more than 250 shopping sites are leveraging this. Junglee works as an aggregator for online sellers. Once a customer selects a product on the Junglee.com website, he is directed to the seller's site, which in this case would be Amazon. Or the customer leverages Junglee's own payment gateway service. The request is sent by the merchant bank to payment regulators who work with VISA/MasterCard and other card brands to enable the transaction.
Under the current model, offline sellers can put their business listing on the website, but any transaction is conducted solely offline. In the proposed model, offline sellers would be able to put their business listings directly on Amazon's website and transact online.
And while this is a new initiative for Amazon, and it is not the first such program. Snapdeal.com recently invited offline sellers to transact on its payment gateway, no different from Amazon's proposed model.
K Vaitheeswaran, former CEO of India Plaza and an e-commerce consultant, sees two benefits from Amazon's plan. "A) Amazon will get access to a large base of offline vendors whose items/selection can be made available to online shoppers, and B) It will expand the market by reaching out the digital benefits to merchants who are still fully offline and do not know how to go online."
The Security Implications
When it comes to security risks, experts are not concerned so much about Amazon's security posture. The international retailer is a proven entity. But what about the risks from enabling offline retailers who may not have best security practices?
The challenge seen by Shibu Paul, country manager of Array Networks, is how do small offline organizations prepare to handle the high number of erroneous and questionable orders in the online space?
"A small kirana shop will not be able to handle many absurd and dubious orders placed online, which would result in security transactional discrepancies," Paul says.
And then there is the challenge of changing consumer habits. Traditionally, Indian consumers order items online, but pay cash on delivery. How does Amazon India lead small businesses and their customers to online payments?
Assuming that Amazon has put a stringent secure transaction mechanism in place, i.e. a two-factor authentication process of registration on payments.amazon.com, security experts find the model to bolster the online business.
Array's Paul believes that the business benefits can outweigh security risks if Amazon allows the transaction and communication to take place in an encrypted environment to ensure the data is secure.
Best Practices Recommended
Although Amazon's initiative is generally received as a positive move, experts argue that strong security practices are imperative to avoid costly breaches. Since many smaller organizations may only be viewing perceived business benefits, these security concerns must be communicated to them, experts say.
Maintains Vaitheeswaran, "To ensure security levels are maintained, Amazon can offer the highest possible security level of 128 bit SSL."
Shashidhar recommends that Amazon adopt improved security measures such as micro encryption, micro tokenization and randomization to ensure data security.
"Amazon should have an updated security policy, a strong IT governance structure with a good defence mechanism built into the IT architecture, combined with robust change management practices along with a strong User ID and authentication mechanism," says Shashidhar.
An effective security posture, says Paul, would be using the most upgraded encryption systems such as AES 2048 bit encryption standards. "Regular audits, awareness training and deploying mechanisms for non-repudiation services are imperative," reiterates Paul.
Experts say that Amazon's payment suite helps to protect the retailer against payment fraud and fraudulent orders with security built-in at the architecture and design stage.
According to Shashidar, the offline retailers will be issued a user ID, as well as privileged ID revalidation authentication tools to do secure transactions on Amazon's platform.
The bottom line: Even the smallest of offline retailers can take advantage of mature security practices and tools provided by Amazon on its payments platform.
"Patching and vulnerability scanning will be taken up at the back end by Amazon's team to continuously monitor and maintain a robust security posture of the applications and the IT environment concerned, to enable retailers to do a secure transaction," Shashidhar says.
According to Vaitheeswaran, like any other transaction, offline retailers will use the 2-Factor authentication system to perform a secure transaction.
"When the retailer enters the credit details on a merchant site like Amazon.in, using the user ID and privileged ID, the data is routed to a Visa or MasterCard system which will ask for additional authentication data (mostly in the form of OTP or one time passwords sent over SMS), to ensure the authenticity of the user in carrying out a secure transaction," explains Vaitheeswaran.