Retail in Asia

In Trends

Expert Opinion: Raising the bar for cyberattacks at the Point-of-Sale

Many retailers, large and small, brick-and-mortar and online, had their brands tarnished by cyberattacks in 2014. While news stories focused on Point-of-Sales (POS) breaches, often the initial intrusion took place in the back-office and through a business partner.

Bottom line, to protect their reputation and the trust of their customers, retailers must re-evaluate the level of security currently in place not only in their POS environments but also throughout their value chain and across their business partners and customer touch points.

As a crucial starting point, all applications and servers in the data centre that generate traffic with a POS should be segmented in one if not several network zones to allow for better scrutiny. Today’s most-advanced firewall can effectively manage, control, and inspect all traffic coming in and out of the POS data centre zone(s) and apply security policies that eliminate unnecessary applications, ensure least-privileged access by users (including contractors), and inspect all traffic for malicious payloads to identify and block known and unknown malware.

This segmentation step is critical to prevent cyberattacks, which penetrate the enterprise network through a weak point, and then move laterally into zones that communicate with POS terminals and handle sensitive information such as customer data or credit card information.

Additionally, we recommend additional security for the edge of the network and endpoints. Below are a few ways on how security may be strengthened at the POS:

•Have in place, an endpoint protection, which can be deployed on POS endpoints to prevent malware infection. Taking an innovative approach that is completely different from traditional anti-virus products, today’s newest endpoint protection solutions have the ability to detect and block malware before they are installed on the endpoint.

•Remote access solutions can also help protect mobile devices and remote computers to enable a security team to enforce enterprise policies at the POS and ensure consistency of policies and security from the core to the edge of the network. They may also be used to enforce a secure VPN connection from the device it is installed on to the core infrastructure.

Finally, to complete the security of the POS environment and the communication between individual stores and the retailer’s data centre, it will be essential to look at the chosen architecture for distributed stores:

•Stores linked back to a central data centre may consider deploying an enterprise-grade platform at the core to manage and secure all traffic going back and forth to stores. For this traditional and most common case, the security may be centralised using next next-generation firewalls.

• For retailers that want to offer richer customer experiences directly at the POS with WiFi access and other advanced services or need to allow store employees to connect directly to the internet, smaller purpose-built security appliances at the store level may serve as a good option.

Retailers often maintain a hybrid approach to support a broad range of small to large stores in a cost effective manner. They can easily combine any of the above scenarios to support a mixed environment with minimal to no integration as all offered alternatives:

•Are based on the same underlying technology
•Can be centrally managed
•Can easily exchange traffic logs
•Use consistent security policies regardless of the appliance deployed
•Seamlessly share threat intelligence

Overall, the deployment flexibility and need for minimal integration overhead should be the most important decision factor in terms of choosing security solutions to protect the POS.

Joe Green is the Vice President of Systems Engineering for Asia-Pacific at Palo Alto Networks. Based in Hong Kong, he leads the pre-sales Systems Engineering team across Asia Pacific, with a strong focus on growing the business in this region.