By Michelle Arney, Head of Product, Cybera (https://www.cybera.com)
Retailers have faced an uphill battle as they have worked to achieve and maintain compliance with the PCI DSS (i.e., Payment Card Industry Data Security Standard) – more commonly referred to as simply, PCI compliance. PCI compliance applies to any organization that accepts credit card payments. It dictates how credit card data is collected, stored, protected, secured and transmitted. And, for many retailers the associated expense and IT management burden can be overwhelming – as typically, PCI compliance is not a retailer’s core competency (nor should it be). Of course, while PCI compliance doesn’t contribute to a retailer’s bottom line, the legal and financial ramifications of non-compliance are typically severe.
Consequently, PCI compliance remains at the top of most retailer’s IT and business priority lists, leaving them to wonder:
- How do I go about implementing PCI compliance?
- Is there an affordable way to achieve system-wide PCI compliance?
- Can I scale out PCI compliance to multiple business sites without onsite IT resources?
- How do I sustain PCI compliance in a constantly evolving threat landscape?
For the purposes of this article, I will focus on how retail organizations that have a central IT organization, as well as decentralized business units – possessing little, if any, onsite IT expertise, can achieve PCI compliance in the easiest and most cost-effective manner. (These same practices and principals can, of course, be applied in other scenarios, as well.)
Essential Enabling Practices
Simplification starts with minimizing the technical friction associated with PCI compliance and establishing consistent security standards across your distributed enterprise. The most important considerations when developing a security plan are:
- Separating PCI and non-PCI data and applications
- Encrypting data in flight and data at rest
- Managing user access to data
- Employing multi-layer security
Separating PCI and Non-PCI Data and Applications
PCI standards dictate scoping your IT infrastructure to identify all components located within or connected to the cardholder data (CHD) environment—and then minimizing the scope by isolating the CHD environment from the rest of the network. While this aspect of PCI leads to a focus on the network, it’s important to address both your network and your applications.
For instance, every application should have access to only the relevant data for that particular application. You can take a pragmatic approach to PCI compliance through cloud-managed micro-segmentation, partitioning every app into its own virtual network to isolate it from other apps (including payment apps, loyalty apps, corporate apps, franchisee apps, IoT apps, etc.). This approach allows security policy enforcement on a per-application basis, thereby reducing the risk of lateral breach propagation across applications.
Encrypting Data in Flight and Data at Rest
Sensitive data typically appears at many points in your network, from a point of sale (POS) card scanner and mobile applications to payment information entered on a web page, transmitted through your network, and held in various storage systems. As EMV (a technical standard for smart payment cards) gains wider adoption, counterfeit card fraud may be declining, but card-not-present fraud is surging. As a result, you should secure every source, destination, and path of sensitive data as part of your PCI compliance strategy.
Managing User Access to Data
Multi-factor authentication (MFA) safeguards data access through a variety of verification methods while satisfying the desire of users for simple logins. Using a centralized cloud-based network solution can help you ensure a scalable approach to policy configuration and enforcement across multi-site deployments. This type of solution can help you automate consistent security standards, eliminate manual configuration errors, and accelerate security updates across locations.
Employing Multi-Layer Security
PCI standards recommend using multiple security layers, including firewalls, encryption, malware protection, and antivirus protection. This defense-in-depth strategy should also include granular security policies customized for each application (instead of being applied to the entire network).
Sustainable, Affordable Deployment
An affordable, low-touch solution that delivers true app and network security remains high on many retailer’s wish lists. Most recognize that this is especially critical when securing networks that are prone to attack, such as those carrying sensitive CHD. Low-friction PCI compliance solutions can free up IT budgets currently being spent on maintenance, upgrades, and integration for more strategic revenue-focused initiatives that enhance the customer experience (CX).
The SD-WAN Option
Today, many retailers who have few or no onsite IT staff have turned to secure, software-defined WAN (SD-WAN) solutions as a way to enable PCI compliance for their networks.
SD-WAN solutions can accelerate secure business operations across multiple sites by consolidating many security and network functions (such as VPN, firewall, intrusion detection, and MFA) in a single cloud-managed device. Using a simple plug-and-play appliance that can be installed by onsite retail personnel with no IT/security training, retailers can avoid both the capital and operational expenses of costly, complex multi-device network solutions, that are many times prone to failure.
A cloud-managed SD-WAN solution enables you to:
- Centrally configure and enforce security policies across all locations for a consistent, standardized security approach
- Automatesecurityupdatessoallremotelocationsreceivethemquickly, improving response times in a constantly evolving threat landscape
- Placethesolutionontopofyourexistingnetworksasavirtualizedsoftwarelayer, preserving existing network investments while optimizing application security and performance
Monitoring
Because monitoring is an important element of sustained PCI compliance, some cloud-managed SD-WAN solutions include continuous network monitoring as a key component of its solution. When emerging or resurging threats are detected in one part of the network, a fast response can eliminate the immediate threats while the necessary security updates are proactively propagated throughout your distributed enterprise.
Scalability
Implementing these defense strategies can be daunting when working with traditional VPNs (which tend to be overly complex and labor-intensive) and MPLS (which is costly and can take months to get up and running). Both of these technologies can diminish your time-to-market advantage and delay your growth strategy.
The flexibility and scalability of a well-designed SD-WAN simplifies and automates this process to extend enterprise-grade, multi-layer security all the way to the edge of your network without requiring onsite IT and security professionals.
Going Beyond Checklist PCI Compliance
By following these straightforward steps, you can embrace an affordable, secure, and PCI-compliant infrastructure that your retail locations can deploy on their own broadband connections in minutes—with no IT or security training. The resulting business benefits extend far beyond checklist PCI compliance solutions that might or might not be truly secure.
The ease of use and high performance associated with some of today’s cloud-managed SD-WAN solutions frees up time and dramatically reduces costs. As a result, you can redirect your IT budget and resources toward initiatives that enhance the customer experience—such as unified commerce, mobile payments, guest Wi-Fi, beacons, and other emerging technologies.
About Michelle Arney, Head of Product, Cybera (https://www.cybera.com)
Michelle Arney is leading the product team at Cybera Inc., responsible for the product vision, strategy and roadmap team. Prior to joining Cybera, she spent her career working with startup and enterprise IT and Developer technologies, most recently at Microsoft where she focused on Server, Cloud, and Emerging technologies. Follow Michelle and Cybera at: Twitter, LinkedIn