Click to learn more about author Michelle Arney.
The Payment Card Industry Data Security Standard (PCI DSS) is a list of security standards intended to ensure that all companies that accept, process, store or transmit credit card data maintain a secure environment. It was created and is now managed by the PCI SSC (www.pcisecuritystandards.org), an independent organization initiated and led by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). Referred to more commonly as PCI compliance, it has become a priority across countless industries, from retail to transportation to restaurants and hospitality, and the list goes on – if you accept credits cards, PCI compliance matters to you.
Unfortunately, the associated expense and IT management burden can be overwhelming – as typically, PCI compliance is not an organization’s core competency (nor should it be). However, while PCI compliance doesn’t contribute to an organization’s bottom-line, the legal and financial ramifications of non-compliance can be severe. Consequently, it leaves many organizations wondering such thing as, how best to implement and ensure PCI compliance at the corporate level, roll-it out to remote locations efficiently and cost effectively, ensure PCI compliance at remote sites that may lack onsite IT expertise, and sustain PCI compliance across the entire organization in a constantly evolving threat landscape?
Certainly, retail is an industry highly focused on achieving PCI compliance. And, for the purposes of this discussion I will use it as the focus. Retail serves as a prime example of an industry that can have a centralized corporate data center, as as well as decentralized business units – possessing little, if any, onsite IT expertise (think large well-known retail brand, with remote shopping mall locations). Of course, these same practices and principals can be applied in countless other scenarios.
Fundamental Enabling Practices
Simplification begins with minimizing the technical friction related to PCI compliance and creating consistent security standards across your distributed organization. The most critical considerations when creating a security plan are:
- Dividing PCI and non-PCI applications and information
- Encrypting data in flight and data at rest
- Managing user access to data
- Employing multi-layer security
Dividing PCI and Non-PCI Applications and Information
PCI standards dictate analyzing your IT infrastructure to identify all components located within or connected to the card holder data (CHD) environment—and then reducing the scope by isolating the CHD environment from the remainder of the network. While this aspect of PCI leads to a focus on the network, it is critical to address both your network and your applications.
For example, each application should have access to only the relevant data for that specific application. You can take a practical approach to PCI compliance through cloud-managed micro-segmentation, partitioning every app into its own virtual network to isolate it from other apps (including corporate apps, payment apps, loyalty apps, franchisee apps, IoT apps, etc.). This methodology enables security policy enforcement on a per-application basis, thereby minimizing the risk of lateral breach proliferation across applications.
Encrypting Data in Flight and Data at Rest
Sensitive data can appear at multiple points across your network, from a point of sale (POS) card scanner and mobile applications to payment information submitted on a web page, transmitted across your network, and held in various storage systems. As EMV (a technical standard for smart payment cards) gains wider adoption, counterfeit card fraud may be decreasing, but card-not-present fraud is rapidly gaining prominence. Consequently, you should secure every source, destination, and path of sensitive data as a key element of your PCI compliance strategy.
Managing User Access to Data
Multi-factor authentication (MFA) protects data access through a number of verification methods while satisfying the desire of users for simple logins. Leveraging a centralized cloud-based network solution can help to ensure a scalable approach to policy configuration and enforcement across multi-site deployments. This kind of solution can help you automate consistent security standards, eliminate manual configuration errors, and accelerate security updates across locations.
Employing Multi-Layer Security
PCI standards advocate using multiple security layers, including encryption, firewalls, malware protection, and antivirus protection. This defense-in-depth strategy should also include granular security policies tailored for each application (as opposed to being applied to the entire network).
Sustainable, Affordable Deployment
An affordable, low-touch solution that delivers true app and network security remains high on many retailer’s wish lists. Most acknowledge that this is especially important when securing networks that are prone to attack, such as those carrying sensitive card holder data. Low-friction PCI compliance solutions can make available IT budgets currently being spent on maintenance, upgrades, and integration for more strategic initiatives that enhance the customer experience (CX), revenues and profitability.
The SD-WAN Option
Today, many retailers who have limited or no remotely-based IT staff have relied upon secure, software-defined WAN (SD-WAN) solutions as a way to enable PCI compliance for their networks.
SD-WAN solutions can accelerate secure business operations across multiple sites by consolidating many security and network functions (such as VPN, firewall, intrusion detection, and MFA) in a single cloud-managed device. Leveraging a simple plug-and-play appliance that can be installed by onsite retail personnel with no IT/security training, retailers can avoid both the capital and operational expenses of costly, complex multi-device network solutions, that are many times prone to failure.
A cloud-managed SD-WAN solution enables you to:
- Centrally configure and enforce security policies across all locations for a consistent, standardized security approach.
- Automate security updates so all remote locations receive them quickly,improving response times in a constantly evolving threat landscape.
- Place the solution on top of your existing networks as a virtualized software layer, preserving existing network investments while optimizing application security and performance.
Due to the fact that monitoring is an important element of sustained PCI compliance, some cloud-managed SD-WAN solutions include continuous network monitoring as a main component of its solution. When emerging or resurging threats are detected in one area of the network, a fast response can eliminate the immediate threat(s) while the required security updates are proactively propagated throughout your distributed enterprise.
Implementing these defense strategies can be formidable when working with traditional VPNs (which today, have become typically overly complex and labor-intensive) and MPLS (which is expensive and can take months to get up and running). Both of these technologies can reduce your time-to-market advantage, slow your growth strategy and cut profitability.
In contrast, the flexibility and scalability of a well-designed SD-WAN simplifies and automates this process to extend enterprise-grade, multi-layer security all the way to the edge of your network without requiring onsite IT and security professionals.
Taking PCI Compliance Beyond the Checklist and to the Next Level
By adhering to these straightforward steps, you can enjoy a completely secure and affordable PCI-compliant infrastructure that your retail locations (reminder: these steps apply to non-retail too!) can deploy on their own broadband connections in minutes—with no IT or security training. The resulting business benefits extend far beyond checklist PCI compliance solutions that may or may not be truly secure.
The high performance, as well as the ease of use and management simplicity associated with some of today’s cloud-managed SD-WAN solutions frees up time and dramatically reduces costs. As a result, you can redirect your IT budget and resources toward initiatives that enhance the customer experience (CX) —such as unified commerce, mobile payments, guest Wi-Fi, beacons, and other emerging technologies – and ultimately, your bottom-line.