Today’s retail environment has become increasingly more complex and sophisticated. IT demands continue to increase due to growing risk management concerns and regulatory compliance requirements. Distributed retail environments are particularly challenging. Each endpoint (store) is an attack vector waiting to be exploited; each store has to meet PCI DSS regulatory requirements.
The PCI DSS requirement affects any merchant who accepts credit card transactions. In a distributed retail environment, this means IT professionals must apply uniform security measurements across all distributed store endpoints. Failure to provide a uniform network security strategy and protective systems deployment can result in substantive penalties, as well as high risk exposure to a variety of data and network threats.
Here are six steps you can take to make network security management a little easier in distributed retail environments:
1. Build and maintain a secure network. The first requirement here is to install and maintain a firewall configuration to protect cardholder data. Specifically for distributed retail environments, we offer RapidDeploy, a unique cloud-based configuration utility that enables uniform, rapid deployment of UTM appliances across a distributed environment. This eliminates the need for IT professionals to pre-configure devices or travel to deployment sites for installation, which significantly reduces total cost of ownership, while also reducing the risk of UTM misconfiguration.
The second requirement under this rubric is to not use vendor-supplied defaults for system passwords and other security parameters. In fact, we require administrators to change default passwords when first configuring appliances. And, with role-based access controls, administrators can effectively manage who can make firewall/UTM changes so that systems are always protected from unauthorized access.
2. Protect cardholder data. The third and fourth requirements call for the protection of stored cardholder data and encrypted transmission of cardholder data across open, public networks. In general, no cardholder data should ever be stored, but if it need be, the data should be encrypted. If you’re transmitting data, then be sure to use a VPN solution so that transmission is secure. Our VPN solutions are especially suited for a distributed retail environments, because they can create tunnels that provide secure site-to-site connections between networks or distributed store locations. This way, encrypted cardholder data can be securely transmitted and protected from hackers and identity thieves.
3. Maintain a vulnerability program. Here, the PCI DSS requirement calls for regular updating of antivirus software or programs. Our UTM appliances offer gateway antivirus to protect against all sorts of viruses, trojans and malware variants. With the security subscription, all of our UTM appliances are automatically and seamlessly updated to thwart the latest virus outbreaks. It’s worth noting that, with our proxies, many “zero-day” attacks can be stopped prior to receiving an antivirus update. And, with our cloud-based Reputation Enabled Defense, dangerous websites and IP traffic can be shunned before it ever reaches a retail branch location.
4. Implement strong access control measures. This requirement calls for the restriction of access to cardholder data using business need-to-know policies. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on job responsibilities. Here, the best security practice is grounded in the principle of “least privilege,” which holds that access to data should be limited to those who need it for legitimate business purposes.
5. Regularly monitor and test networks. Under this goal, the requirement calls for tracking and monitoring of all access to network resources and cardholder data. Make sure your administrators have the most in-depth and feature-rich array of reporting and logging tools. In our UTM appliances, advanced logging mechanisms support the ability to track individual users, which is critical for forensics and vulnerability management. You’ll also want easy-access, pre-packaged PCI DSS reports that provide you quick information that helps you stay on top of your compliance landscape.
6. Maintain an information security policy. This goal requires that merchants maintain a policy that addresses information security for all personnel. For example, our UTM appliances support extensive policy controls. This way, distributed retailers can maintain and enforce uniform policies across a variety of geographic locations. Delivering additional security services, through something like our LiveSecurity service, can provide best practices and related security updates for retailers to ensure they are up to speed on the latest security developments.
Today’s distributed retail environment architecture is one of the most challenging IT environments, rivaling that of banks and financial institutions. While the distributed retail environment offers substantive business advantages, such as increased sales, improved customer loyalty, and operational efficiencies, it also poses significant challenges. Today’s network administrators need not only be mindful of hackers bent on stealing cardholder data, but they must also be fully apprised of legal and industry regulations, such as PCI DSS.