Security and PCI Compliance for Retail Point-of-Sale Systems

Similar documents
SIEM: Five Requirements that Solve the Bigger Business Issues

Comprehensive Database Security

McAfee Embedded Control for Retail

McAfee Database Security Insights

PCI DSS Compliance. White Paper Parallels Remote Application Server

REMOTE IT MANAGEMENT SOLUTIONS: MANAGE REMOTE OFFICES WITHOUT LEAVING YOURS

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

PCI compliance the what and the why Executing through excellence

Ritz Camera Leverages Whitelisting for Picture Perfect Security

McAfee Total Protection for Data Loss Prevention

Power, Patch, and Endpoint Managers Expand McAfee epo Platform Capabilities While Cutting Endpoint Costs

McAfee Public Cloud Server Security Suite

Securing Your Microsoft Azure Virtual Networks

Safeguarding Cardholder Account Data

Navigating the PCI DSS Challenge. 29 April 2011

Securing Your Amazon Web Services Virtual Networks

Daxko s PCI DSS Responsibilities

Escaping PCI purgatory.

PCI DSS and the VNC SDK

Power, Patch, and Endpoint Managers Expand McAfee epolicy Orchestrator Platform Capabilities While Cutting Costs

Choosing the Right Solution for Strategic Deployment of Encryption

McAfee epolicy Orchestrator

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

GDPR: An Opportunity to Transform Your Security Operations

PCI DSS and VNC Connect

Sustainable Security Operations

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Total Protection for Compliance: Unified IT Policy Auditing

McAfee Service Provider Technical Support

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

The McAfee MOVE Platform and Virtual Desktop Infrastructure

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

Complying with PCI DSS 3.0

Building Resilience in a Digital Enterprise

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

McAfee Embedded Control

McAfee Embedded Control

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Security by Default: Enabling Transformation Through Cyber Resilience

Services solutions for Managed Service Providers (MSPs)

in PCI Regulated Environments

PCI DSS COMPLIANCE DATA

PCI Compliance: It's Required, and It's Good for Your Business

Merchant Guide to PCI DSS

United Automotive Electronic Systems Co., Ltd Relies on McAfee for Comprehensive Security

IBM Managed Security Services - Vulnerability Scanning

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

McAfee Web Gateway Administration

Compliance in 5 Steps

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Payment Card Industry (PCI) Data Security Standard

Protecting Your Enterprise Databases from Ransomware

PCI COMPLIANCE IS NO LONGER OPTIONAL

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

McAfee Embedded Control for Healthcare

Solution. Imagine... a New World of Authentication.

IBM Security Services Overview

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

SYMANTEC DATA CENTER SECURITY

Commerce PCI: A Four-Letter Word of E-Commerce

Carbon Black PCI Compliance Mapping Checklist

Addressing PCI DSS 3.2

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Payment Card Industry (PCI) Data Security Standard

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

McAfee Network Security Platform Administration Course

SoftLayer Security and Compliance:

Total Security Management PCI DSS Compliance Guide

SECURITY PRACTICES OVERVIEW

Simplify PCI Compliance

Data Security Standard

Brochure. Data Masking. Cost-Effectively Protect Data Privacy in Production and Nonproduction Systems

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

McAfee Virtual Network Security Platform

University of Sunderland Business Assurance PCI Security Policy

PROTECT WORKLOADS IN THE HYBRID CLOUD

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

CSP & PCI DSS Compliance on HPE NonStop systems

Guide to Simple Network Design PCATS Recommendation, April 14, 2011

Comodo HackerGuardian PCI Approved Scanning Vendor

Service Description VMware Workspace ONE

MiContact Center Business Important Product Information for Customer GDPR Compliance Initiatives

IBM Exam 00M-662 Security Systems Sales Mastery Test v2 Version: 7.1 [ Total Questions: 72 ]

Checklist: Credit Union Information Security and Privacy Policies

Oracle Database Vault

Integrigy Consulting Overview

Transcription:

Security and PCI Compliance for Retail Point-of-Sale Systems In the retail business, certain security issues can impact customer confidence and the bottom line regulatory penalties, breaches, and unscheduled downtime. Retailers know they need to address these issues, but they often lack the budget for security solutions that come with increased labor costs and require system or network upgrades. In fact, the ideal security solution needs to extend the ROI of the existing IT infrastructure. McAfee is able to offer a comprehensive approach to securing retail store point-of-sale (POS), also known as point-of service, and back-office solutions across various platforms: legacy, end-of-life (EOL), or recently purchased. Our solutions are equally effective in environments where network bandwidth is constrained, purpose-built POS and backoffice systems have limited resources, and frequent patching and updates are not an option. 1 Security and PCI Compliance for Retail Point-of-Sale Systems

McAfee solutions expand beyond retail stores, integrating a comprehensive security strategy for the entirety of the retailer s IT infrastructure, including stores, main offices, and supply chain assets across desktops, servers, network devices, and data. McAfee achieves this by combining several core aspects of security, including discovery, management, threat intelligence, protection, monitoring, response, and audit within comprehensive solution suites. McAfee can also work with existing qualified security assessors (QSAs) and/or offer consulting services and its own QSAs to help deploy and customize a personally crafted solution efficiently and effectively. Unique Retailer Requirements Retail IT infrastructure is complex and distributed. It includes stores with POS checkout terminals, selfcheckout units, cash drawers, information/web kiosks, PCs, and back-office servers. These systems are generally connected to a main office, which includes desktops, servers, network devices, and data. In addition to the retailer s operational environment, there are increasing IT dependencies on supply chain relationships, ranging from wholesalers and distributors to manufacturers and suppliers. Retail organizations are concerned about striking a balance between reducing risks, reducing costs, and delivering optimized security to their constituents and customers. At the same time, they also want to improve the customer experience, reinforce brand identity, generate customer loyalty, and increase sales. There are two areas that make this balance particularly challenging for retailers compliance mandates and today s resource-constrained retail environment. Compliance mandates: Payment Card Industry Data Security Standard (PCI DSS) PCI-related state legislation (Nevada, Washington, and Minnesota) The European Union Privacy Directive Today s resource-constrained retail environment: Newer POS systems have the power, extensibility, and vulnerabilities of a PC. Legacy and EOL systems are still very common and are needed to keep critical systems and services available while maintaining security. Downtime must be minimized, and patches and updates are difficult across all retail stores. Resources remain constrained in terms of IT staff, system resources, and network bandwidth. 2 Security and PCI Compliance for Retail Point-of-Sale Systems

Mandates Problem Retailers must be able to demonstrate PCI compliance within their stores across all IT systems that store, transmit, or track credit card data. This generally includes POS and back-office systems. Failure to comply with PCI requirements can result in penalties or sanctions from members of the payment card industry. In addition to PCI, there are several states with PCI-related legislation. Additionally, the European Union Privacy Directive has many controls that overlap with PCI requirements as they relate to the storage and transmission of credit card information. These mandates taken collectively amplify the need for retailers to be able to demonstrate compliance. Solution Purpose-built security solutions for retail store environments from McAfee are focused specifically on security controls, reports, and dashboards for POS, back-office systems, and related in-store systems. Integrity control provides the security controls and reports for demonstrating compliance with PCI sections 10.5.5 and 11.5, which specify the use of file integrity monitoring. These integrity controls also help address other sections within PCI, including 1, 2, 6, and 8. Because many retail environments can t run antimalware solutions on their in-store systems, McAfee solutions can act as a compensating control for PCI antimalware requirements accepted by QSAs. McAfee also offers log management and database security solutions. Log management is another PCI requirement relevant to in-store operations that is applicable to PCI sections 1, 2, 6, 7, 8, 10, 11, and 12. Databases are common within retail store back offices and tend to contain the most sensitive data. PCI controls for databases are relevant to PCI sections 1, 2, 3, 7, 10, 11, and 12. Areas directly supported by McAfee Integrity Control software, as well as McAfee solutions for log management and database security, are highlighted in the PCI DSS requirements table below. While the solutions outlined are specific to a retailer s in-store environment, McAfee has a complete range of IT security and compliance solutions and services that work together to address PCI requirements across the retailer s stores, main office, and supply chain. McAfee also has consulting services with QSAs that can help design, deploy, and manage solutions for even the most complex retail environments and put in place solutions that will demonstrate PCI compliance while reducing risk, reducing operational expenses, and maximizing IT asset ROI. 3 Security and PCI Compliance for Retail Point-of-Sale Systems

PCI DSS Requirements 1: Install and maintain a firewall configuration to protect cardholder data. 2: Do not use vendor-supplied defaults for system passwords and other security parameters. McAfee Integrity Control McAfee Log Management Solutions McAfee Database Security 3: Protect stored cardholder data. 4: Encrypt transmission of cardholder data across open, public networks.* 5: Use and regularly update anti-virus software.* 6: Develop and maintain secure systems and applications. 7: Restrict access to cardholder data by business need-to-know. 8: Assign a unique ID to each person with computer access. 9: Restrict physical access to cardholder data. 10: Track and monitor all access to network resources and cardholder data. 11: Regularly test security systems and processes. 12: Maintain a policy that addresses information security. * Supported by additional McAfee solutions. The Modern Retail Environment and Resource Constraints Problem Retailers are upgrading their POS systems to take advantage of add-on modules that promise to build stronger ties to the consumer at the point of checkout. Not wanting to fall behind the competition in terms of features and functions and needing the broadest possible application support, retailers are moving to commercially popular operating systems and applications. As purpose-built solutions, these POS systems and the back-office systems that reside at the remote stores are often resource constrained. They often have dial-up or low bandwidth connectivity to regional or main offices, and that bandwidth is primarily reserved for business operations, backups, pricing updates, new applications, order fulfillment, marketing pattern analytics, and other retail functions. These stores do not have local IT support and, generally, the retailers have such limited IT resources that they depend on third-party contractors to perform handson IT activities as needed. This results in an environment that is not well suited to downloading and installing patches for core operating systems, critical applications, or anti-malware.dats. With a desire to get the most ROI 4 Security and PCI Compliance for Retail Point-of-Sale Systems

out of their initial POS investment while at the same time achieving the benefits that today s solutions offer, many retail environments will also have a mix of current solutions with existing, legacy solutions each with its own risks. Solution McAfee solutions for in-store retail operations: Are not scan based, so they are not system resource intensive. Do not require.dat downloads, so they are not network intensive and do not require frequent updates. Can be deployed and managed centrally by leveraging McAfee management solutions, reducing demands on IT staff. Can run on multiple platforms, including Microsoft Windows XPe (embedded), which cannot run traditional anti-malware. Reduce patch cycles for operating systems and applications and extend the life of legacy/eol systems. Provide a broad range of protections from zero-day vulnerabilities and targeted malware to dynamic whitelisting authorized executables (drivers, Java, binaries) and blocking unauthorized user or browser installs. Prevent malware from being installed through USB access. Prevent the installation and propagation of unapproved software. Prevent changes by unauthorized users. Provide visibility into changes across all POS and backoffice systems. While the most pressing area of focus for retailers are stores, retail infrastructures, are, of course, much more than this. As shown in Figure 1, retailers also have complex main offices that leverage missioncritical assets from accounting controls and enterprise resource planning (ERP) to loss prevention and inventory replenishment. Retailers also depend on interconnected supply chain management systems with suppliers, warehouse operations, and others. The complexity, criticality, and sensitivity of these environments are similar to those found in the financial industry and even government agencies. Unfortunately, in comparison, retailers generally have much smaller IT staff to manage their environment because of thin margins. McAfee is unique in its ability to offer products, services, and added value through partnerships to address the complete spectrum of retailer needs across various mandates and security requirements. This is achieved by combining several core aspects of security, including discovery, management, threat intelligence, protection, monitoring, response, and audit within comprehensive solution suites. McAfee solutions allow retailers to lower risk, reduce operational costs, demonstrate compliance, and maximize IT infrastructure ROI, so that retailers can focus on the business of doing business without additional staff or changes to systems or networks. For more information about McAfee solutions for security and PCI compliance for retail POS systems, please visit: www.mcafee.com/pci. 5 Security and PCI Compliance for Retail Point-of-Sale Systems

Suppliers and Portals Data Mining Private Public Networks Warehouse Operations Call Center Private Public Networks HQ Mission-Critical Assets Authorizations/Settlement (Merchant Bank) Server Retail Retail Mobile POS Kiosk Mobile POS Kiosk Online Server Accounting Control Analytics B2B, B2C Ecommerce Business Intelligence Cash, Check Management CRM, Loyalty Database, Data Warehouse EDI EFT, Credit Processing ERP Forecasting Inventory Management Item, Price Management Labor Scheduling Loss Prevention, Sales Audit Merchandise Allocation, Planning Price Optimization Replenishment Signage, Ticketing Traffic Counting Systems Vendor Management Workflow, Workforce Management Figure 1. The interconnected retail environment. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright 2017 McAfee, LLC. 896_0816 AUGUST 2016 6 Security and PCI Compliance for Retail Point-of-Sale Systems

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback