In 2015, 70% of breaches reported by global retailers were directed at POS devices. With the quantity of exploits only increasing, retail CIOs cannot rely on industry minimum guidelines to set out their security strategy. While the Payment Card Industry data-security standard (PCI DSS) provides a strong baseline of security measures to protect systems and data, retail IT security must go beyond minimum standards required by auditors.
To adequately protect in-store endpoints, Retail IT departments need to reduce the complexity of their environments by enforcing standards and go deep on three pillars of device security: device, data, and identity. Here are some best practices to keep in mind:
Implement standards to reduce complexity
Retail has a longstanding problem with device sprawl. Ongoing marketing, omnichannel and transactional initiatives drive demands for various kiosks, tablets, and handhelds, each often with a unique operating system. As a result, because iOS, Android, and Windows devices fundamentally approach management and security differently, unified security policies are difficult to deploy.
Stringent business-case requirements to deploy technology outside the core store standards must be enforced by senior IT leadership. A review of potential security challenges, as well as costs to mitigate associated risks, should be considered by steering committees or senior management looking at deployment of new non-standard devices.
Lock down store devices
Whether for POS terminals, tablets, or back-office PCs, the following software, firmware, and hardware strategies are a must to protect against potential exploits and attacks:
Use software tools. Security strategies need to leverage security options offered by the device operating system (OS) layer for protection against potential exploits. In Windows 10, for example, these include often-overlooked Credential Guard, Device Guard and file-based Write Filter as well as App and BitLocker technologies. On the application side, it’s imperative to use clearly defined user authentication and permissions across both local and browser apps.
Secure firmware foundation. Increasingly, the firmware layer (known as BIOS for PCs and PC POS) is the most important component of device security. While commonly overlooked by IT administrators, it is rapidly becoming the prime target for sophisticated attacks, which, if successful, can remain undetected by traditional IT security tools. Because BIOS security also underpins secure drive encryption as well as other ‘downstream’ security measures, building a secure foundation is critical.
Depending on the hardware, BIOS can be secured through pre-boot authentication and administrator-implemented BIOS management controls. Additional security features can include real-time health monitoring and automatic recovery to “gold copy” image in case of corruption or intrusions. Since BIOS is generally a vendor-specific technology, some vendors provide the ability to use uniform security management and policy enforcement tools across their PCs and retail POS devices, reducing the number of systems required to manage the retail infrastructure.
Choose hardware with built in security. Important hardware features for retail systems should include the ability to lock out data ports and provide case-intrusion protection. Devices should restrict and manage access to system ports via hardware lock and enable BIOS-level configuration to prevent data leaks or use of unauthorized devices.
Data protection encompasses software, firmware and hardware security to safeguard access to local storage on the device. To prevent data theft, retailers can use self-encrypting drives (SED) and drive-authentication technologies. SEDs use a hardware-based encryption to read and write data faster and more securely than software-based solutions. Drive authentication and encryption solutions provide protection against thieves removing drives from a secured system to be analyzed and accessed on another machine.
Manage identity at all times
With 85% of IT professionals saying the weakest link in security is end users failing to follow policies and procedures, IT departments must make user-device authentication easy, convenient, and reliable. Biometric solutions have been gaining acceptance in retail, but the next step is multifactor authentication, which combines hardened authentication, such as fingerprints or PINs, and soft factors, like passwords and facial recognition.
While PCI standards provide general security guidelines, retail IT departments must go beyond them to safeguard their environment and data. A major breach can have immediate legal and financial consequences if negligence can be established. And when a breach sinks consumer confidence, retailers might find themselves struggling to survive.
—Dmitry Sokolov is the vertical lead for Retail at HP Canada Co.