6 minute read
Key Strategies & Topics
Key Strategies & Topics PRIORITY LEVEL: HIGH 1
DEPLOYMENT / IMPLEMENTATION
Covered by the implementation project plan
RESPONSIBILITIES – FRANCHISEES VS. FRANCHISORS
• Shared responsibilities for PCI, and PII – customers and staff • Employee cyber security training • Document systems and processes • Standardize wherever possible • Internal department awareness and communication
LOYALTY SYSTEMS & POS SECURITY INCIDENT RESPONSE
• Have a plan • Rehearse plan (tabletop exercises) • Defined responsibilities internally and externally • Communications responsibilities and plans • Have an outside facilitator run the table top to avoid internal political issues
BUSINESS CONTINUITY AND DISASTER RECOVERY
• Multi-path connectivity to compensate for network outages. (black outs) • SD-WAN to protect application performance during periods network congestion. (brown outs)
RESPONSIBILITIES – SERVICE PROVIDERS, OPERATORS
• Identify core requirements, risks • Identify PCI surface area run the table top to avoid internal political issues
USERS - IDENTITY AND ACCESS MANAGEMENT
• Card sharing • Employee ID best practices • QR codes for ID • Difference between identity and authorized access
CURBSIDE PICKUP & POS SECURITY
PCI DSS
• Proactively maintain PCI DSS compliance • Prepare for new PCI DSS 4.0 requirements (to be released in mid-2021) Phone line encryption for VOIP (already a requirement) systems utilizing credit card data • System Verification (PCI Compliant Pointto-Point Encryption (P2PE) approved • Vendor Verified and Compliant • 3rd Party Vendors compliant
ONLINE ORDERING SECURITY & THE POS Third-Party POS integration/Security category
?PRIORITY POS SECURITY PRODUCT REQUIREMENTS LEVEL: P2PE, EMV, SSO, Security & Scalability, Tokenization, Partnerships, Device Management, Centralize Patch Management, Granular Security Capabilities (franchisee/ors, service providers)
PRIORITY LEVEL: MID
2
MSSP CONSIDERATIONS
Expectations, Responsibilities, Pen Testing, Firewall Management • Clear responsibilities and contacts identified • Field services and installation services • NOC vs SOC services • Procurement • Vendor Risk Assessments • Analysis capabilities • Vendor Certifications – PCI, SOC II • Customer Helpdesk
Pentest - how do you evaluate a report and findings? (vuln scan report is not sophisticated, and is not a true pentest), Timelines, scope of work; focus on clear requirements, preengagement meetings, in vs. out of bounds activities (red, blue, purple teaming, external vs. internal pen tests)
ORGANIZATIONAL MANAGEMENT
IT ownership; Security; Finance
THIRD-PARTY DELIVERY SECURITY
REMOTE ACCESS BEST PRACTICES
Monitoring, Encryption, Fraud, MFA
*MAJOR ATTACK VECTOR WHEN IMPLEMENTED INCORRECTLY
CLOUD, ON PREM, HYBRID DEPLOYMENT CONSIDERATIONS
Trust but verify documentation and security processes with all vendors
PRIORITY LEVEL: LOW
RESOURCE MANAGEMENT WITH LOW CAPITAL
3
PLATFORM SECURITY – EMBEDDED OS, APPLE, ANDROID, ETC.
Minimum requirements for security – provisioning systems – Better define this requirement? Run the table top to avoid internal political issues
*SHOULD BE ABSTRACTED FROM THE POS… IT ISN’T NOW BUT WILL BE
CONTACTLESS -DIGITAL WALLET INTEGRATIONS SECURITY
Apple Pay, Google Pay, Alipay, Wechat Pay, etc - how do you handle payment data and PII?
FORM FACTOR SECURITY, MOBILE DEVICE MANAGEMENT
Port lockdown, appliance management, minimum requirements for security - provisioning systems
SECURITY AUTOMATION
• Patch management • Incident and Event Management – SOC
Playbooks • Tamper control / change management control - Define more what to automate….after the fact.
PRIORITY LEVEL: KEEP EVERGREEN
COVID-19 CONSIDERATIONS
Master Chart
PROGRAMS, DEFINED BY FORMER, CURRENT & FUTURE STATE
PROGRAM FORMER STATE
RUN
OPERATIONS Localized, on-prem solution
ORDERS, CUSTOMER PAYMENT METHOD
Cash focused, physical security focused Mobile first, credit card focused, payment card security standards
ORDERS, PLATFORM Menu boards, phone in, call centers Online hybrid, digital menu boards
CURRENT STATE
Cloud based gaining market share, but most systems still on-premises based
THIRD-PARTY INTEGRATIONS
OTHERS
(personalization, loyalty, alternative customer data business models)
SUPPORT
WAN (INTERNET EDGE)
1:1, subject to opportunity, expensive, inaccessible, large brand play, Tech debt prohibitive Fragmented, complex, gated, emerging, SaaS expensive at scale
Simple correlation AI/ML, who owns the customer data (data stewardship), GDPR/privacy liabilities
Single WAN transport is predominant as POS & Payment functionality not as reliant on “always on” connectivity. Second transport for business continuity not driving new business functions. Security was perceived as an inherent service from ISP. Expansion of internal devices starts to create a more grey edge but still definable. Migration from MPLS to broadband for cost efficiencies begin. SD-WAN adopted picks up, first as a way to reduce costs and complexity but soon becoming a requirement to drive new business applications and scale to support growing number of endpoints for the customer experience. Security of sensitive data becomes more critical and goes beyond just payment data. Requires secure connectivity via Secure SD-WAN as well as security on the internal network, edge, and external access to cloud applications.
LAN (INTERNAL NETWORK)
Flat networks are prevalent with physical segmentation common. VLANs created for different network segments but not according to business requirements. East-West CDE (Cardholder Data Environment) segmentation becomes standard as PCI and other regulations require clear separation of payment systems from cardholder networks. Prevalence of IoT devices starts to create challenges, as traditional network edge becomes hard to define.
FUTURE STATE
All cloud, managed, utilizing AI/ML insights to drive operations
QR codes, NFC, Voice based ordering, Venmo, Zelle, ecommerce level cybersecurity
Loyalty ordering, social media ordering, customer analytics (payment, transaction, loyalty data sets), POS everywhere
Ubiquitous, click to install, low friction, drive innovation
Cloud Managed service with subscription based access. Would expect to see 3-4 main players selling a service.
CHANGES NECESSARY TO GET FROM CURRENT > FUTURE STATE
KPI driven business operations with a SaaS model
Lots of new options available, but not well understood business case for adoption (yet). Adoption in the US is accelerating rapidly (WeChat in China, etc).
Amazon style one stop shopping
Industry standard integration under development; movement from license-based models to more SAAS based with open API’s
Data privacy laws updated as well as consumer protection. Industry driven decisions on data ownership.
Secure SD-WAN becomes standard to support growing proliferation of devices and protect the undefinable edge. Real-time application steering and dynamic traffic allocation becomes necessary to continue to drive new customer facing technologies and increased usage of SaaS and public/private cloud applications. “Self-healing” network becomes a reality via Artificial Intelligence, Machine-learning, and increased use of automation helps to predict, identify, resolve, and even prevent issues in real-time.
ZTNA, or Zero-Trust Network Access, assumes no user/device is trusted and limits access to only the most necessary requirements. Default deny-all becomes the standard and allow lists are created to increment access. Micro-segmentation becomes a requirement as edge-computing, cloud adoption, and containers permeate into day-to-day operations. Traffic management, as restaurant systems complexity increases, will be necessary to maintain business continuity, but many companies may just need link aggregation or failover. Complex routing, aggregation, and granular management may be necessary at a datacenter or (private/public) cloud instance for centralized resources. This technology is commoditized and available from many suppliers, but multiple ISP services are not as common especially in remote or rural areas.
Sophisticated ZTNA requires extensive expertise and equipment that are available but not easily managed at scale. Many restaurants may chose to outsource this management to third parties. These capabilities exist today but are not widely adopted due to a lack of understanding, and complexity. If you are not, at a minimum, at the current accepted state, you should audit your systems immediately and implement suggested remediation technologies and processes.
