Why security and PCI compliance are critical for retail networks and SD-WAN implementations

Retailers are embracing digital transformation to enhance customer experience, improve operations, and meet the ongoing threat of online shopping. But as they do so, they potentially are increasing their exposure to cybercriminals.

With large sprawling networks, and a variety of communication protocols being deployed at retail stores (wireless LANs, GPRS, Bluetooth, NFC, RFID and cellular technologies among them), the entry points for attacks have multiplied substantially. Add to that list various connected applications, more digital touchpoints, smart appliances and infrastructure, in-store associates’ devices, and customers’ mobile phones and we begin to see the magnitude of not just the risk, but the complexity involved in safely yet efficiently managing the network environment.

PCI compliance is the standard by which retailers judge – and are judged on – their security measures. But simply meeting the standard once a year is not enough, as cybercriminals work daily to find vulnerabilities.

To ensure your retail business is doing everything it can to secure its networks, let’s take a look at the new types of attacks leading to data breaches, why old security methods are often insufficient, and how an SD-WAN solution not only addresses the business needs associated with application, device and network proliferation, but also enables more efficient and effective PCI compliance.

Typical cyberattack methods against retailers and the significant costs

The potential danger that cyberattacks pose to retailers is nothing new. Breaches have been front-page news for years, as a string of large retailers have reported security breaches that affected millions of their customers. The attacks are targeted at smaller chains as well as major big-box retailers. A recent report by NetDiligence confirmed that the average breach costs at retailers of all sizes over the past five years amount to $1.6 million. Add to that the massive risks to brand reputation and customer defections (a reported 70% of consumers would consider leaving a retailer if they were hit by a cyberattack) and it’s clear that security is everyone’s problem.

Hackers usually start their assaults on retailers’ networks and the spectrum of targets and techniques is wide, including:

• User manipulation through social networking


• Privileged credential hacking


• Email phishing


• Web application attacks (not just against ecommerce sites) through SQL injection and cross-site scripting


• Invasion through vulnerabilities that allow remote access

Once within the network, cybercriminals attempt to move laterally to the cardholder data environment (CDE) and the POS systems. Thus, it’s not a surprise that the most common insurance claims by retailers by type of data compromised are payment card data (53 percent), PII (11 percent) and critical file breaches (11 percent).

Network security and the benefits of a PCI-compliant SD-WAN

PCI compliance standards treat network security as a cornerstone, referring to it in three of the six core control objectives:

• Build and Maintain a Secure Network and Systems


• Implement Strong Access Control Measures


• Regularly Monitor and Test Networks 

Traditionally, firewalls and router configurations have been the go-to methods for both implementing a PCI Data Security Standard (DSS), and segmenting the network environment. Proper and complete firewall implementations, as well as ongoing updates, are critical for maintaining security, but not always efectively maintained.

MPLS networks can be effective in providing end-to-end connectivity, but their rigidity and significantly higher costs have encouraged the retail industry to start adopting SD-WAN. Furthermore, MPLS networks lack flexibility, application awareness and real time visibility and control to be able to efficiently solve for VOIP, ecommerce, and the other new applications retailers are deploying.

In addition to the physical network, wireless connectivity in the store has also multiplied. An SD-WAN can handle the multiple communication protocols, broadband and WAN interfaces, and MPLS and LTE combined. With the additional services retailers are leveraging and the expanding need for wireless connectivity, the flexibility and scalability of SD-WAN is a game changer.

From a cybersecurity perspective, SD-WAN enables network policy, segmentation, and security management. Flexible provisioning and segmentation capabilities allow retailers to easily isolate POS systems, as well as other critical networks and data. While segregating the POS system from the rest of the network isn’t a requirement under the PCI standards it is highly recommended and is considered a best practice.

Retailers can further reduce some of the burden of PCI compliance by ensuring the SD-WAN solution and vendor they select offer PCI-compliance. Besides the benefit of SD-WAN itself, picking a PCI-compliant vendor significantly reduces the compliance costs of self-certification.

Why retailers should deploy a PCI-compliant SD-WAN

When retailers choose a PCI-compliant SD-WAN partner they can:

• Enhance security compliance


• Significantly reduce the attack surface of any cyberattacks by isolating cardholder data into a smaller, more controlled environment


• Reduce the scope, and thus the cost, of the PCI DSS assessment because only the POS network will be in scope


• Minimize the cost and effort of implementing and maintaining ongoing PCI DSS controls

Equipped with a PCI-compliant SD-WAN, retailers can address the following security best practices to not only ensure compliance, but also to minimize the significant costs associated with a data breach:

Segment the networks/reduce your scope: SD-WAN delivers the flexibility to easily segment multiple networks, implement application-aware routing and isolate certain networks, thus limiting the attack surface of highly sensitive, in-scope, payment card data. Additionally, network segmentation is valuable in minimizing the impact of a successful attack to a specific area. Proper segmentation can prevent the attack from propagating beyond the borders of the segment.

Understand the Lifecycle Of a Credit Card Transaction: It’s important to understand the number of transactions you process and the environment you are processing them in (POS systems, secure websites, etc.). Then do an inventory of all POS terminals/cash register systems/card readers on the network. Understand all stages of the payment ecosystem from POS device to payment gateways to the bank and back. Credit cardholder data must be safe at all stages of the transaction.

Implement “least privilege” principles in your SD-WAN digital experience: To further enhance the segmentation concept, retailers should adhere to the principles of “least privilege” (POLP). Only those who have a need should be granted access to the most sensitive networks and traffic, with that access further limited by location or time-of-day policies. Since the majority of attacks involve the use of privileged credentials, cybercriminals can enter at one point and move laterally through the network environment. Segmentation and alerting functionality at critical nodes in the network will help identify and contain attacks at those gates rather than letting them roam through the network.

Perform periodic network penetration and vulnerability testing: Ascertaining PCI compliance certification once a year is not enough. Several of the high-profile breaches have occurred within days or months of obtaining certification. (Several big retailers had been certified as compliant just weeks before or after a major breach).  In addition to real-time network monitoring, retailers should perform regular penetration testing and network traffic analyzes utilizing IDS (intrusion detection systems), net flow monitoring to classify and troubleshoot threats, and raw packet data and custom sensor output inspections.

Additional best practices to follow

In addition to deploying a PCI-compliant SD-WAN, retailers should be mindful of other security best practices:

Make sure your firewall configuration is up to date. A firewall is of vital importance but it’s not enough by itself. You have to keep updating it to reflect changes to your business. As retailers add new vendors, new applications, new devices they need to ensure the firewall configurations are updated. Otherwise, you’ve created an opening for hackers.

Do the same for your antivirus software. Make sure your antivirus software is updated to look for the latest threats.

Take a pass on vendor-supplied passwords. Ensure password policies uniquely identify users as opposed to using default and shared settings, especially as new devices are added to the network.

To summarize

The PCI compliance mandate is nothing new to retailers. What’s new and growing is the myriad applications, devices, and network protocols that modern retailers are adopting to create new engagement models, enable vital customer analytics and operational efficiencies. The legacy network architectures cannot keep up; SD-WAN technologies are the answer for agile and secure network management. To minimize the risks of costly data breaches and the related compliance certification challenges, retailers need to consider PCI-compliant SD-WAN solutions while continuing to implement agile network security best practices.

Learn more about SD-WAN solutions from Comcast Business.

Retailers of all sizes can enable data and analytics transformations and new applications with reliable and secure networking and communications technology, including WiFi solutions and PCI-compliant SD-WAN. Schedule a consultation at (855) 249-9475 or visit business.comcast.com.