The retail landscape is changing with digital transformation, evolving technologies, and increasing risks associated with greater connectivity and integration. The retail industry is deploying Internet connected devices to reach and serve customers better, ranging from new point of sale payment devices such as radio-frequency identification (RFID) and signature scanners, to audit-logging devices such as printers, cash dispensers and other systems such as lights and cameras. With the proliferation of mobile devices and other technologies, retailers are intentionally and, perhaps, unintentionally, collecting more and more data about their customers. New threats constantly emerge, and attackers are becoming more capable and organized. At the same time, compliance requirements around data protection and security are becoming more significant. These trends increase the urgency and importance of addressing security and data protection concerns in a systematic and effective manner.
The OMG Retail Domain Task Group has recognized these issues and previously produced primers about security and data protection threats and associated controls. Trust is essential to the customer relationship with the retailer. The challenge is to figure out how much security is needed, how much to invest to fit certain scenarios and which controls to deploy, given the complexity of the retail environment. All aspects must be considered including governance, technology and operations. The IoT Security Maturity Model (SMM) helps organize and manage these concerns, enabling various stakeholders to communicate and determine appropriate maturity targets, assess the current status, and create action plans to address gaps.
The SMM defines general considerations to form a foundation from which communities can consider their specific needs and concerns and extend the SMM by creating profiles that consider industry and device specific concerns. This document is a profile for the point of sale (POS) retail community.
The goal of a Security Maturity Model is to provide a path for Internet of Things (IoT) providers to know where they need to be and how to invest in security mechanisms that meet their requirements without over-investing in unnecessary security mechanisms. It seeks to help organizations identify the appropriate approach for effective enhancement of these practices where needed. Deciding where to focus limited security resources is a challenge for most organizations given the complexity of a constantly changing security landscape.