PCI compliance, future requirements, and security best practices require retailers to make important choices. Retailers must control what data traffic may enter each store as well as what may leave. They also need to keep some things in each store separate from others. Methods used to secure data traffic can impact how retailers operate within them.

Centralized Firewall vs Firewall-per-Store for Retailers

A centralized firewall for an array of stores is applied when they operate as a closed system. A closed system implements a block-all policy whereby all inbound and outbound data traffic is discarded except for explicitly specified exceptions: a ‘white list’. This benefits retailers by ensuring that unknown data traffic flows are eliminated, allowing only those approved.

Firewalls deployed at each site can be configured in a default-deny manner as well. However, they cost retailers more in hardware and operations (e.g., configuration and patch management). Even in managed services, these costs are passed on to the retailer one way or another. And, more managed firewalls means more potential for configuration mistakes.

Blue Ridge implements a closed-system via our VPN technology that we developed for military and other national security organizations over 15 years ago. It is far in the way the most time-proven VPN solution commercially available. However valuable one considers the various government certifications our VPN solutions have achieved, the most important metric is the fact that there have been no reported vulnerabilities or security breaches in all this time. This unrivaled record is absolutely attributed to the technology. We would be delighted to explain the cryptographic differences between our technology versus those developed by all other vendors.

Download our ‘Retailer Network and PoS Security Overview’

Public IP Addresses vs Private IP Addresses

PCI compliance requires periodic scans of all publicly addressable IP addresses in a retailer’s network. A third party must conduct these scans. The price they charge retailers is based on the number of public IP addresses within the scope of the PCI. Retailers save money by reducing the number of nodes that fall within the scope of this PCI requirement.

Blue Ridge significantly reduces this scope with the VPN appliances that it deploys at each store. These devices use whatever private IP address they dynamically acquire from whatever ISP router is at each store. The ISP router is considered ‘out of scope‘ because the VPN appliance represents the line of demarcation between what falls within and without of PCI scope. Retailers can gain some additional savings by not having to pay for public IP addresses from the various ISPs and carriers.

Blue Ridge is not unique in offering VPN appliances that operate with private IP addresses. However, all of the implementations by other major vendors require something called ‘Dynamic DNS’, which is easily susceptible to denial of service attacks. And, we know of at least one major vendor whose implementation is subject to more serious security vulnerabilities that can enable cyber criminals to crack their encryption. That said, we know of no publicly reported security breaches of this kind.

Download our ‘Retailer Network and PoS Security Overview’

Secure All of a Retailer’s Customer Data Traffic vs Just PAN Data Traffic

Other customer data will eventually be covered under PCI. Numerous reports from the security industry tell of cyber criminals stealing more than just primary account number (PAN) data. PAN data is the primary focus of PCI. Cyber criminals can sell PAN data at a higher price if accompanied by other customer data that facilitates data theft. We expect that the PCI Council will be compelled to expand the scope of PCI to include this other customer data. As retailers deploy new or upgrade existing store IT services and execute PCI compliance tasks, they should identity other sensitive customer data vulnerable to theft and consider securing that data before the PCI council mandates it. The incremental cost of securing this other data while doing so for PAN data can be trivial. However, retrofitting such additional security can be considerably more costly.

Blue Ridge has spent most of its 15 years serving customers that are high-value targets in government, military, finance, healthcare, and others. When it comes to high assurance security providers, there are those that ‘play it on marketing content’ and those that live it. Blue Ridge develops its own network appliances and computer security software in-house because most commercially available tools are too operationally complex to operate and they fall short of our high assurance security standards.

As Hanover Foods, TJ Maxx, Forever 21, and others can attest, mere PCI compliance does not equate to high assurance security. And with Blue Ridge, high assurance security does not equate to an unaffordable solution.

One Network Segment per Store vs Multiple Segments

Retailers can significantly reduce their PCI compliance costs through network segmentation. Consider all of the different devices in a store. Perhaps two to five of them handle PAN data. None of the others do. If all endpoints are on the same network segment, then all must be PCI compliant, and retailers must prove this is so.

As of now, PCI compliance only concerns PAN data. Therefore, retailers should create at least two network segments per store: one for point of sale (PoS) machines, and the other for all else.

Download our ‘Retailer Network and PoS Security Overview’

Single Vendor, Multiple Solutions vs Multiple Vendors with a Single Solution Each

Retailers are faced with network, network security, and computer security issues. They must ensure that the ‘data gets to payment processing on time’ by selecting ISPs/carriers that deliver the most bandwidth reliably and for the most value. These transports must be managed in real time and issue resolution often involves proving to an ISP/carrier that they are a fault. This ‘data in motion’, at least the PAN data, must be encrypted, which may or may not involve another service provider. The PoS machines in each store must be PCI compliant and free from malware. So, endpoint security represents another area requiring solutions.

Blue Ridge Retail Solutions cover all of the above. If anything goes wrong, its our job to fix it 24 x 7. In providing holistic solutions that cross multiple IT disciplines, we have been developing synergies and continue to do so between our network security appliances and computer security software. They can be inter-dependent, or simply exist in one because it offers a better approach than addressing it in the other.

Wi-Fi Risks: Detection vs Prevention

The first example of a synergistic solution was inspired by one of our retailer customers concerned with rogue Wi-Fi devices. PCI compliance requires quarterly Wi-Fi scanning of stores. Blue Ridge does not and probably never will offer Wi-Fi scanning for this purpose. Conducting such scans creates ineffective data analysis work, costs retailers thousands per year, and ultimately does not prevent data theft. Continuous Wi-Fi scanning with 24 x 7 alerts would be effective. But these services cost considerably more than quarterly scans.

Blue Ridge developed an enhancement to our computer security software, which runs in our customers’ Windows-based PoS machines to enforce PCI compliance settings and block malware attacks. The enhancement makes the presence of a rogue device irrelevant, Wi-Fi or not. It does so by leveraging its kernel-level control over the PoS to ensure that only the payment application software can access PAN data. In other words, even a rogue software process running with local admin rights on such a PoS machine cannot access the PAN data. This means that a rogue device or a rogue store clerk are prevented from accessing the PAN data. Protecting other customer data too is just a policy rule change to us and retailers.

And remember, PCI compliance requires that payment applications encrypt data transmissions. So, if a rogue software process can access the data, and a rogue store clerk cannot, and a rogue Wi-Fi device cannot, then Blue Ridge is preventing the problem at far less cost to retailers than reacting on a quarterly basis to Wi-Fi scanning reports.

Download our ‘Retailer Network and PoS Security Overview’

PoS Protection from Malware: Traditional AntiVirus Software Only vs Adding Zero-Day Protection Software

Any breach of PAN data, or any customer data, is a nightmare to any retailer, regardless of whether a PoS machine was compliant or not. In tests after tests after tests of AntiVirus products, laboratories are reporting that traditional signature-based antivirus products, essentially what nearly all retailers have, detect an average of about 20% of new malware attacks. When labs throw in some heuristics features, average detection rates double to around 45%. After 30 days, average test results on the same malware samples improve to almost 60%. Antivirus vendors enable optional features in their products for lab tests they sponsor, which achieve test results over 85%. But, security industry experts say that these features are generally too complex to use in the field, saying nearly all enterprise organizations use nothing but the default settings, even the vendors themselves. Unfortunately, many vendors get away with sponsoring lab tests where their product is tested against large amounts of old malware (more than 3 months) to inflate their detection rate.

The bottom line is simple: the antivirus software found on retailer PoS machines has at best a 50-50 chance of detecting a malware attack when it happens. For machines not running with local admin rights, their antivirus software may later detect and remove the malware weeks or months later, after it has stolen every customer records that traversed that machine. Retailers ought to be demanding better!

Blue Ridge offers computer software either as a managed service or as something retailers can manage themselves. Our AppGuard Enterprise Plus and AppGuard security software delivers nearly 100% protection from malware attacks without distracting store clerks from their jobs.

PCI compliance seems to require traditional, signature-based, antivirus software, despite lab test results. Our security software is compatible with almost all of the antivirus products that a retailer is likely to be using. Retailers can reduce costs by replacing expensive, name-brand antivirus with less expensive, sometimes more effective alternatives. Even if the less expensive is less effective, our software stops what it misses. More savings can be realized when the PCI Council rules on whether retailers may use newer, more effective anti-malware technologies in lieu of traditional ones.

Download our ‘Retailer Network and PoS Security Overview’

Managed Services vs Self-Managed

Perhaps this is the biggest benefit for you.    There is only so much time in the day, but there are many projects.   We can allow you to focus on your sales while we handle all of the above.  Our pricing includes this AND the equipment which should save you money in the long run and let you get more done.

Learn More about Blue Ridge Retail Solutions

Download our ‘Retailer Network and PoS Security Overview’

877-528-2823

Posted: Thursday, August 19th, 2010 - Security Applications
RSS 2.0 - Comment - Trackback