3 Questions to Ask Vendors When Securing POS

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/3-questions-to-ask-vendors-when-securing-pos-p-1774

Retailers have what cybercriminals want - a never-ending supply of payment
card data. Unfortunately, as a number of headline-grabbing breaches show,
many well-known retailers have failed to stop attackers from gaining access
to their payment data systems.

Why are attackers so successful at compromising companies in the retail
sector?

Competitive Pressures Changes Landscape

In response to seismic shifts taking place in the competitive landscape,
retailers are under pressure to evolve their business model. Winning their
share of the customer's wallet requires retailers to adopt innovative
technology. While the introduction of new technology helps retailers
compete, it also provides attackers with new weaknesses to exploit.

Before the competitive environment shifted, networks were built to support
point-of-sale (POS) systems connecting to back-end servers and the
corporate wide-area network (WAN). Malicious actors often seek to
compromise those corporate WANs first. In some cases, POS systems even have
Internet access to enable both remote operations or support.

In addition, larger retailers often allow their facility management systems
such as their heating, ventilating, and air conditioning systems to connect
to their networks. Retailers may also provide intranet and Internet access
for employees and guest Wi-Fi access. Again, all connected to the
retailer's IT environment.

Enter the cybercriminal. While the customer welcomes new technology with
open arms, so too does the cybercriminal, but for entirely different
reasons.

Since many retailers often still rely on commodity hardware, software and
legacy operating systems built around the POS system, attackers can use
relatively straightforward tools and tactics to breach the network and grab
data. With each new connection, attackers have a new attack vector to
pursue.

Retailers cannot avoid innovation. Cybercriminals thrive when retailers
innovate. What can retailers do to stop cybercriminals from breaching their
defenses?

Revisiting IT Security Practices

Stopping cybercriminals from stealing data requires a reassessment of a
retailer's IT-related security risk. In order to gather a detailed
understanding of the threats they face and the steps needed to manage and
mitigate such risk, retailers often turn to third-party security vendors.

Asking security providers to answer the following three questions can help
retailers uncover vendors best equipped to meet their needs.

Question #1: Can your solutions support multiple locations?

For retailers with stores throughout the country, and sometimes around the
world, cloud-based security solutions offer many advantages over
on-premises solutions. Cloud-based solutions also allow merchants to scale
their operations to reflect increases and decreases in the number of
stores. In addition, establishing how the solution handles high-risk
traffic within the store network can help determine how much demand the
security vendor will place on the IT infrastructure.

Question #2: Does your solution include advanced security capabilities?

Cybercriminals create and employ a variety of techniques to gain access to
a retailer's network. A dynamic security solution that reflects the latest
threat intelligence plays a critical role in stopping attackers. Also, the
ability to integrate with existing security layers, such as anomaly
detection, is an important factor as it helps the retailer gather
information in a central location and develop actionable intelligence to
prevent attacks.

Question #3: What reporting capabilities does your solution include?

Robust reporting can help retailers accomplish several important goals such
as management and compliance-related reporting, and bandwidth consumption
analysis. It may also provide market intelligence regarding the use of
guest Wi-Fi to compare in-store pricing with online and traditional
retailers.

Innovation is Here to Stay - So Are Cybercriminals

Customer expectations and competitive pressures will continue to justify
increases in the investment and adoption of technology within the retail
sector. With the emergence of new business models supported by the
Internet, retailers will continue to face a never-ending stream of
challengers for share of the customer's wallet.

Since merchants capture a tremendous volume of payment card and personal
data to derive their revenue, they will always attract sophisticated
cybercriminals. While retailers continue to adopt new forms of technology
to meet customer expectations, "behind-the-scenes" many employ commoditized
and subsequently insecure IT infrastructure.

In light of the pervasive threats they face, retailers may choose to engage
third-party security vendors to assess and harden their networks. The
questions detailed in this post can help them begin the process of
uncovering qualified vendors.

Time is of the essence. Retailers will continue to gather credit card data.
As long as they do, cybercriminals will be ready to steal it.

For more on solutions providing intelligent cybersecurity for the real
world, visit www.cisco.com/go/threat-centric to learn about the industry's
broadest portfolio of security solutions covering the broadest set of
attack vectors.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!