Best Practices to Protect the Retail Environment

The new year is here and with it comes new consumer behavior and demands. Retailers are incorporating in-store innovations to provide the best customer experience possible, making their retail infrastructure even more complex than before.

With this in mind, we’ve compiled the best practices that retail ITs should consider to strengthen their value chain.

1. Know the proven vulnerabilities

Retailers can prevent and detect cyberattacks by understanding the vulnerabilities of the entire retail environment and following security best practices. And there’s no better way to do so than by learning how retailers have been exploited in the past. To learn more, read POS Systems: The Proven Vulnerabilities.

2. Mandate point-to-point encryption (P2PE) for all connections through your network

To protect the customer data traversing your network, use P2P encryption whenever possible– even in devices that are considered out of scope for PCI. To learn more about P2PE, read the Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) .

3. Segment your network

Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network.” – Payment Card Industry (PCI) Data Security Standard (DSS) v3.2.

Use network segmentation to separate different types of devices and their associated users:

  • Install and regularly update anti-virus to protect cardholder data against malware.
  • Install and configure firewalls to manage internal traffic between network segments.
  • Enforce strong and unique passwords throughout the entirety of the retail environment, including third-parties and vendors in the supply chain.

4. Improve your security hygiene

Network segmentation by itself is not sufficient to ensure the security of your retail environment. Retailers must implement additional security measures to prevent stolen identity and access privileges:

  • Implement strong access control measures. Enforcing PCI DSS requirement 7 outside the PCI zone is still a good idea. Each zone should have its own roles, privileges and access, effectively restricting user access to data within their area of responsibilty.
  • Enforce strong authentication for remote access and support: To secure remote connections to attended and unattended devices within your network, choose a remote access solution that integrates with Active Directory and supports multi-factor options: multi-factor authentication, authentication against RADIUS, Windows Azure Multi-Factor Authentication, Callback, MAP/IP address check or Closed User Groups.

With access control measures in place and enforced, retailers should revise their official security policy and be flexible in making the necessary adjustments to bridge security gaps.

5. Physically protect your systems

Most retailers envision a physical breach as an attacker simply walking up to a POS terminal, inserting a USB drive and delivering malicious files into the network. But retailers should be prepared for other scenarios as well.

To physically secure a system, follow these methods at minimum:

  • Control access to the system. Make sure that all publically accessible systems are protected.
  • Implement surveillance measures. Monitor the physical locations of your retail system terminals using surveillance cameras and notification systems.
  • Periodically test your disaster recovery procedures. Running disaster recovery drills can shed light on system weaknesses that may become entry points of an attack.

6. Use contactless POS

“Contactless payment offers consumers a fast, secure and convenient way to pay, providing merchants with significant opportunities to reduce queuing and improve the in-store payment experience, while offering brands a host of new loyalty opportunities. It also enables a significant reduction in the use of cash, as seen in several early adopting countries. Additionally, contactless payment paves the way to multi-application, as the same device (card, mobile handset or wearable) can also be used for transit or access control.” (Source)

Contactless POS systems leverage Near-Field Communication (NFC), while NFC-enabled devices allow customers to store credit card and loyalty information on their mobile phones.

With no PIN or signature to validate the transaction, contactless could be an attractive fraud target. But this is generally managed by requiring the card holder to enter a PIN or signature on a random basis and, more importantly, by setting a maximum value for the transaction… This transaction limit is the real control as the fraudsters’ goal, as always, is to secure the maximum value from the smallest number of transactions.” – The Road to Contactless Payments (NCR whitepaper).

7. Monitor and maintain system integrity

Integrity, in terms of data and network security, is the assurance that information can only be accessed or modified by those authorized to do so.”- (Source).

To maintain your retail system’s integrity, follow these practices:

  • Monitor privileged user activity on your critical systems to track unauthorized access into the retail system.
  • Monitor system integrity. System integrity monitoring tools allow retail IT admins to save a snapshot of the system’s configuration and then monitor any changes to it.
  • Monitor audit trails and activity logs. With a comprehensive audit trail and regularly monitored audit logs, all user activity can be accounted for.
  • Monitor authorized wireless access points. Monitoring the inventory of authorized wireless access points on a regular basis is security best practice. Learn more about this by reading Requirement 11.11 of the Payment Card Industry (PCI) Data Security Standard (DSS) v3.2.

8. Educate your staff and increase security awareness

The most important practice for stronger security in retail is security awareness.

Providing security education and promoting awareness throughout the complex retail infrastructure (including employees, third-party vendors, suppliers, merchants, and customers) reduces your chances of a breach and ensures an incident will be properly handled should it occur. Developing an effective security awareness program and implementing it successfully should be a top priority for IT managers.

Conclusion

Given the innovative technologies retailers embrace to respond to consumer needs (kiosks, mobile payments, augmented reality, omnichannel, etc.), advancing security practices accordingly in the retail environment is of foremost importance.

Acknowledge system vulnerabilities, then secure all systems and segments within the network while keeping a keen eye on managing privileged access to systems. Remember to not to overlook security awareness. Make it part of your company’s culture.

Four big retailers failed to protect their retail environment last year. How well do you protect yours?

References

POS Systems: The Proven Vulnerabilities

Payment Card Industry (PCI) Point-to-Point Encryption (P2PE)

Payment Card Industry (PCI) Data Security Standard (DSS) v3.2

http://www.smartpaymentassociation.com/images/news/16-04-26-SPA-Contactless-Payment-Benefits-WP-Final.pdf

The Road to Contactless Payments

http://searchdatacenter.techtarget.com/definition/integrity