POS Security Implementation Best Practices
• Former, Current and Future State Guidance • Vendor Risk Assessment
|1|
POS SECURITY IMPLEMENTATION BEST PRACTICES
www.restauranttechnologynetwork.com
Introduction Point of Sale (POS) systems are a part of every concept and size of restaurant, but they are implemented and deployed in ways that lead to a lack of uniformity in security capabilities. This fragmentation leads to increased risks to individual stores as well as large brands. This group was created to develop industry standard security requirements and implementation best practices to address these issues, and increase security maturity of the POS.
Staff
ABBY LORDEN
RTN Mission The Restaurant Technology Network (RTN) is a membership community solely dedicated to the restaurant technology industry. Through access to valuable benefits and powerful connections, our members shape industry standards and share technical guidance to help restaurateurs run successful businesses and better serve their customers.
VP and Brand Director, HT Co-Founder, RTN 973.607.1358 alorden@ensembleiq.com
ANNA WOLFE
ANGELA DIFFLY
MICHAL CHRISTINE ESCOBAR
Senior Editor, HT 207.773.1154 awolfe@ensembleiq.com
Co-Founder, RTN 404.550.7789 angela@restauranttechnologynetwork.com
Senior Editor, HT 224.632.8204 mescobar@ensembleiq.com
PATRICK DUNPHY
KATHERINE WARE
CIO, HTNG & RTN 312.690.5039 patrick@restauranttechnologynetwork.com
Senior Account Executive, HT & RTN 785.424.7392 kware@ensembleiq.com
KIRSTEN PHILLIPS
NOELL DIMMIG
Marketing and Membership Manager, HT & RTN 812.322.0681 kirsten@restauranttechnologynetwork.com
ROBERT FIRPO-CAPPIELLO Editor in Chief, HT 917.208.7393 rfirpo-cappiello@ensembleiq.com
RESTAURANT TECHNOLOGY NETWORK
|2|
Account Executive, HT & RTN 973.607.1370 ndimmig@ensembleiq.com
Table of Contents Restaurant POS Evolution & Challenges............................................................................... 4 Key Strategies & Topics............................................................................................................... 6 Master Chart: Programs, defined by former, current & future state...........................10 Vendor Risk Assessment............................................................................................................ 14 Remote Access Best Practices................................................................................................ 15 Glossary of Terms........................................................................................................................ 20
Key Contributors
MARK CLINE
Senior VP of Sales Netsurion
DAN EDWARDS
Director, IT Purchasing QSCC / Wendy’s
BOB GIBSON
TIM GUERRIERO
Chief Revenue Officer Jolt
Information Security Program Manager P.F. Chang’s
COURTNEY RADKE CISO Fortinet
TIM TANG
Director, Enterprise Solutions Hughes
Additional Contributions
Copyright 2021 Restaurant Technology Network (RTN). All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or information storage and retrieval systems, without express written permission from the publisher. RTN is a wholly owned subsidiary of EnsembleIQ, with principal headquarters at 8550 W. Bryn Mawr Ave., Suite 200, Chicago, IL 60631.
|3|
POS SECURITY IMPLEMENTATION BEST PRACTICES
Restaurant POS Evolution & Challenges In the past, restaurant point of sale (POS) systems were largely static, limited to core features and functionalities available when first deployed. The restaurant POS has since evolved, allowing integration and unlocking new services. But this evolution brought with it a new set of security challenges. From a strictly-closed environment, to a business hub with multiple internal and third-party integrations coming online all the time, today’s POS acts as the center for connectivity for things like inventory, labor management, drive-through enhancements to training, email, and company intranet access. Throughout the restaurant POS evolution, restaurant operators took different paths to accommodate operational needs, each with its own unique security challenges.
Same Path Solution Separation Solution POS Anywhere Solution Regardless of which approach restaurants take on their POS journey, security must remain at the forefront. As compliance requirements continue to evolve and data & privacy regulations expand, it becomes mission-critical for restaurants to embrace a culture of security as a continuous process, as opposed to something addressed at a single point in time.
RESTAURANT TECHNOLOGY NETWORK
|4|
Yesterday’s POS is no longer viable to support the expanding needs of today’s restaurants. Some restaurants continued down the same path, adding more features and functions, turning their once closed environment into a Frankenstein of integrations, services, and applications. This approach is hard to manage and secure, as the complex environment leads to gaps in visibility and control that can be hard to identify, and even harder to fix down the road.
Some restaurants unraveled and decoupled non-POS functions from the core POS environment, thus creating distinct and segmented services inside the restaurant for better functionality and, hopefully, greater security. The problem with this approach is that the unraveling/decoupling is often hard to manage, as some core POS functions are now reliant on third-party integrations, and require exceptions to be made in order to maintain business operations.
Some restaurants adopted a cloud-centric approach, whereby core functionality of the POS was shifted outside the physical restaurant, into POS provider-managed cloud environments. This approach allows for a more clear distinction and segmentation of POS functions but still leaves room for scope creep in some hybrid models. Additionally, the “POS anywhere” approach dictated a greater reliance on robust and redundant connectivity to business operation continuity.
|5|
POS SECURITY IMPLEMENTATION BEST PRACTICES
Key Strategies & Topics PRIORITY LEVEL: HIGH
1
DEPLOYMENT / IMPLEMENTATION
INCIDENT RESPONSE
Covered by the implementation project plan
• Have a plan • Rehearse plan (tabletop exercises) • Defined responsibilities internally and externally • Communications responsibilities and plans • Have an outside facilitator run the table top to avoid internal political issues
RESPONSIBILITIES – FRANCHISEES VS. FRANCHISORS • Shared responsibilities for PCI, and PII – customers and staff • Employee cyber security training • Document systems and processes • Standardize wherever possible • Internal department awareness and communication
BUSINESS CONTINUITY AND DISASTER RECOVERY • Multi-path connectivity to compensate for network outages. (black outs) • SD-WAN to protect application performance during periods network congestion. (brown outs)
LOYALTY SYSTEMS & POS SECURITY RESPONSIBILITIES – SERVICE PROVIDERS, OPERATORS
CURBSIDE PICKUP & POS SECURITY
• Identify core requirements, risks • Identify PCI surface area run the table top to avoid internal political issues
PCI DSS • Proactively maintain PCI DSS compliance • Prepare for new PCI DSS 4.0 requirements (to be released in mid-2021) Phone line encryption for VOIP (already a requirement) systems utilizing credit card data • System Verification (PCI Compliant Pointto-Point Encryption (P2PE) approved • Vendor Verified and Compliant • 3rd Party Vendors compliant
USERS - IDENTITY AND ACCESS MANAGEMENT • • • •
Card sharing Employee ID best practices QR codes for ID Difference between identity and authorized access
ONLINE ORDERING SECURITY & THE POS
PRIORITY LEVEL:
?
Third-Party POS integration/Security category
POS SECURITY PRODUCT REQUIREMENTS P2PE, EMV, SSO, Security & Scalability, Tokenization, Partnerships, Device Management, Centralize Patch Management, Granular Security Capabilities (franchisee/ors, service providers)
RESTAURANT TECHNOLOGY NETWORK
|6|
PRIORITY LEVEL: MID
MSSP CONSIDERATIONS
2
3
RESOURCE MANAGEMENT WITH LOW CAPITAL
Expectations, Responsibilities, Pen Testing, Firewall Management • • • • • • • •
PRIORITY LEVEL: LOW
Clear responsibilities and contacts identified Field services and installation services NOC vs SOC services Procurement Vendor Risk Assessments Analysis capabilities Vendor Certifications – PCI, SOC II Customer Helpdesk
PLATFORM SECURITY – EMBEDDED OS, APPLE, ANDROID, ETC. Minimum requirements for security – provisioning systems – Better define this requirement? Run the table top to avoid internal political issues *SHOULD BE ABSTRACTED FROM THE POS… IT ISN’T NOW BUT WILL BE
Pentest - how do you evaluate a report and findings? (vuln scan report is not sophisticated, and is not a true pentest), Timelines, scope of work; focus on clear requirements, preengagement meetings, in vs. out of bounds activities (red, blue, purple teaming, external vs. internal pen tests)
CONTACTLESS -DIGITAL WALLET INTEGRATIONS SECURITY Apple Pay, Google Pay, Alipay, Wechat Pay, etc - how do you handle payment data and PII?
FORM FACTOR SECURITY, MOBILE DEVICE MANAGEMENT
ORGANIZATIONAL MANAGEMENT
Port lockdown, appliance management, minimum requirements for security provisioning systems
IT ownership; Security; Finance
THIRD-PARTY DELIVERY SECURITY SECURITY AUTOMATION • Patch management • Incident and Event Management – SOC Playbooks • Tamper control / change management control - Define more what to automate….after the fact.
REMOTE ACCESS BEST PRACTICES Monitoring, Encryption, Fraud, MFA *MAJOR ATTACK VECTOR WHEN IMPLEMENTED INCORRECTLY
CLOUD, ON PREM, HYBRID DEPLOYMENT CONSIDERATIONS Trust but verify documentation and security processes with all vendors
PRIORITY LEVEL: KEEP EVERGREEN COVID-19 CONSIDERATIONS
|7|
POS SECURITY IMPLEMENTATION BEST PRACTICES
Master Chart
PROGRAMS, DEFINED BY FORMER, CURRENT & FUTURE STATE PROGRAM
FORMER STATE
CURRENT STATE
OPERATIONS
Localized, on-prem solution
Cloud based gaining market share, but most systems still on-premises based
ORDERS, CUSTOMER PAYMENT METHOD
Cash focused, physical security focused
Mobile first, credit card focused, payment card security standards
ORDERS, PLATFORM
Menu boards, phone in, call centers
Online hybrid, digital menu boards
THIRD-PARTY INTEGRATIONS
1:1, subject to opportunity, expensive, inaccessible, large brand play, Tech debt prohibitive
Fragmented, complex, gated, emerging, SaaS expensive at scale
Simple correlation
AI/ML, who owns the customer data (data stewardship), GDPR/privacy liabilities
Single WAN transport is predominant as POS & Payment functionality not as reliant on “always on” connectivity. Second transport for business continuity not driving new business functions. Security was perceived as an inherent service from ISP. Expansion of internal devices starts to create a more grey edge but still definable. Migration from MPLS to broadband for cost efficiencies begin.
SD-WAN adopted picks up, first as a way to reduce costs and complexity but soon becoming a requirement to drive new business applications and scale to support growing number of endpoints for the customer experience. Security of sensitive data becomes more critical and goes beyond just payment data. Requires secure connectivity via Secure SD-WAN as well as security on the internal network, edge, and external access to cloud applications.
Flat networks are prevalent with physical segmentation common. VLANs created for different network segments but not according to business requirements.
East-West CDE (Cardholder Data Environment) segmentation becomes standard as PCI and other regulations require clear separation of payment systems from cardholder networks. Prevalence of IoT devices starts to create challenges, as traditional network edge becomes hard to define.
RUN
OTHERS (personalization, loyalty, alternative customer data business models)
SUPPORT
WAN (INTERNET EDGE)
LAN (INTERNAL NETWORK)
RESTAURANT TECHNOLOGY NETWORK
|8|
FUTURE STATE
CHANGES NECESSARY TO GET FROM CURRENT > FUTURE STATE
All cloud, managed, utilizing AI/ML insights to drive operations
KPI driven business operations with a SaaS model
QR codes, NFC, Voice based ordering, Venmo, Zelle, ecommerce level cybersecurity
Lots of new options available, but not well understood business case for adoption (yet). Adoption in the US is accelerating rapidly (WeChat in China, etc).
Loyalty ordering, social media ordering, customer analytics (payment, transaction, loyalty data sets), POS everywhere
Amazon style one stop shopping
Ubiquitous, click to install, low friction, drive innovation
Industry standard integration under development; movement from license-based models to more SAAS based with open API’s
Cloud Managed service with subscription based access. Would expect to see 3-4 main players selling a service.
Data privacy laws updated as well as consumer protection. Industry driven decisions on data ownership.
Secure SD-WAN becomes standard to support growing proliferation of devices and protect the undefinable edge. Real-time application steering and dynamic traffic allocation becomes necessary to continue to drive new customer facing technologies and increased usage of SaaS and public/private cloud applications. “Self-healing” network becomes a reality via Artificial Intelligence, Machine-learning, and increased use of automation helps to predict, identify, resolve, and even prevent issues in real-time.
Traffic management, as restaurant systems complexity increases, will be necessary to maintain business continuity, but many companies may just need link aggregation or failover. Complex routing, aggregation, and granular management may be necessary at a datacenter or (private/public) cloud instance for centralized resources. This technology is commoditized and available from many suppliers, but multiple ISP services are not as common especially in remote or rural areas.
ZTNA, or Zero-Trust Network Access, assumes no user/device is trusted and limits access to only the most necessary requirements. Default deny-all becomes the standard and allow lists are created to increment access. Micro-segmentation becomes a requirement as edge-computing, cloud adoption, and containers permeate into day-to-day operations.
Sophisticated ZTNA requires extensive expertise and equipment that are available but not easily managed at scale. Many restaurants may chose to outsource this management to third parties. These capabilities exist today but are not widely adopted due to a lack of understanding, and complexity. If you are not, at a minimum, at the current accepted state, you should audit your systems immediately and implement suggested remediation technologies and processes.
|9|
POS SECURITY IMPLEMENTATION BEST PRACTICES
Master Chart
PROGRAMS, DEFINED BY FORMER, CURRENT & FUTURE STATE PROGRAM
FORMER STATE
CURRENT STATE
DATA
Singular data sources and repositories with singular purposes. Heavily silo’d in disparate platforms with little correlation. Value not yet realized.
Data analysis and correlation begins to create large data databases and repositories.
EMPLOYEE DATA
Physical data stored on-site.
Mix of physical and digital storage. Employee on-boarding/training not fully digitized.
CUSTOMER DATA
Little effort to capture customer data outside of cc data and mag stripe.
Email capture for marketing efforts is common, physical address for snail mail has reduced but still in biz models. Customer buying habits and mobile device connections are ramping.
BRAND DATA
Little visibility by brand into franchisee health, employee mgt, and performance.
Data driven programs are starting to be implemented by brands in order to review and support their franchisees. Brand marketing programs are built and optimized per data driven by franchisees.
THIRD-PARTY DATA
Siloed independent collection
Data collection is ubiquitous, but is not being harnessed effectively. It is also a regulatory minefield to collect data unnecessarily as well as an additional, significant risk.
ENDPOINT SECURITY
Cost driven point products. Endpoint Security - AV and standard EPP platforms. The lowest common denominator of security capabilities, if not the only security capabilities at many companies.
Consolidated & centralized security functions. Legacy SIEM, AV moves to EPP + EDR platform. Automation becomes one of the few ways to combat a lack of resources and immediate responses. SMBs still implementing cost driven security products rather than capabilities focused decisions.
REMOTE CONNECTIVITY
Physical Access, Remote Desktop, 3rd party Remote Access Software (RAS), VPN. POS and non-POS services co-mingle on a single system.
Secure adaptive VPN connectivity with robust logging and auditing capabilities. Direct application access removes many requirements to interact directly with the store.
SUPPORT (CONT’D)
RESTAURANT TECHNOLOGY NETWORK
| 10 |
FUTURE STATE
CHANGES NECESSARY TO GET FROM CURRENT > FUTURE STATE
Privacy and cybersecurity regulations (like CCPA/CPRA) make data management high risk, high value, and complicated to execute while maintaining compliance requirements. Complications with consumers’ right to be “forgotten” and practices such as data mapping and privacy may impact assessments.
KPI driven-business operations with a SaaS model
Digital on-boarding and training programs. Cloud partnership for data storage.
Lots of new options available, but not well understood business case for adoption (yet). Adoption in the US is accelerating rapidly (WeChat in China, etc).
Several customer loyalty applications in play as well as WiFi analytics dashboard and reporting.
Amazon style one stop shopping
Endpoint monitoring, brand data traffic flow and data dumps to corp brand team.
Movement from license based models to more SAAS based with open API’s
Privacy professional feedback
Data privacy laws updated as well as consumer protection. Industry driven decisions on data ownership.
AI-driven security / Augmented / Automated. SOAR, XDR and MDR, ML/ UEBA/NBA technology integrations.
Integrated partnerships between end point security solutions and point of sale.
API driven operations become standard practice with less direct user access needed on in-store POS devices.
Move away from comingled software environments where multiple functions reside on a single compute resource. Restaurants must mature the mindset of remote security, and API standardization and integration must become open and audited to be successful. This will be different for system to system communications (SD-WAN style remote connectivity), and for end-user to system communications.
| 11 |
POS SECURITY IMPLEMENTATION BEST PRACTICES
Master Chart
PROGRAMS, DEFINED BY FORMER, CURRENT & FUTURE STATE PROGRAM
FORMER STATE
CURRENT STATE
USER IDENTITY MANAGEMENT
Static credentials and persistent access allow for limited security and accountability. Common for single account with no separation of privileges between admin / user. Limited multi-factor authentication.
Unique identities separating admin from general user access with some per application / database credentialing. Multi-factor authentication becomes a requirement but implementation varies.
DEVICE
Limited mobile device management. Devices “on-island.” Compatibility challenges. Static device inventory with no continuous assessments performed.
Centralized and consolidated asset identification and continuous assessment with support for myriad of devices. Network Access Control (NAC) implemented with growing regularity as IoT expands.
REPORT
Local transactional reporting. Some products have the ability to aggregate multiple restaurants’ reporting
Improved reporting aggregation capabilities in core POS products. Improved capabilities in native cloud POS products. Many third party (non-POS vendor) reporting/BI products, but very little true integration, some best in class third party middleware achieves these goals but are expensive
COMPLIANCE (PCI, ETC)
American Express, Discover Financial Services, JCB International, Mastercard and Visa—introduced PCI DSS 1.0 in December 2004. Followed by version 1.1 in 2006 which added online applications and firewall standards as well as the creation of the PCI Security Standards Council.
PCI 3.X raises stakes on safe and consistent hardware / manufacturing of payment devices. Payment Encryption (P2P / E2EE) and incident response planning become standard in 3.2. Focus on process enhancement and ensuring proper practice of controls but little yearround validation.
SUPPORT (CONT’D)
PROGRAM
FORMER STATE
OPERATIONS
Localized, on-prem solution
MENU, ORDERS, CUSTOMER PAYMENT METHOD
Cash focused, physical security focused
ORDERS, PLATFORM
Menu boards, phone in, call centers
THIRD-PARTY INTEGRATIONS
1:1, subject to opportunity, expensive, unaccessible, large brand play, Tech debt prohibitive
OTHERS (personalization, loyalty, alternative customer data business models)
Simple correlation
RESTAURANT TECHNOLOGY NETWORK
| 12 |
FUTURE STATE
CHANGES NECESSARY TO GET FROM CURRENT > FUTURE STATE
Full password rotation & vaulting mandatory. Fully validated and audited access trails. Deep integration to SSO solutions. Adaptive Multi-factor authentication to ensure high implementation.
The technology exists, with many competitors, to achieve the future state. At this point, it takes process and corporate priority changes to achieve these goals.
Fully integrated Mobile Device Management (MDM) + Security. Network Access Control implemented with high regularity as part of a Zero-trust model. Protection becomes less end point focused and more identity and application centric.
Tool, support and services are available today to execute this strategy. Restaurants need to prioritize this and build a business case to support it.
Use an industry standard API. This should improve the product offerings and make them easier to integrate and port to accounting, inventory, HR and BI systems cost effectively. API first, or well documented systems are differentiators (all APIs are not equal). PII and PCI data are important to keep track of, and potentially exclude from reporting capabilities for compliance purposes.
Identify, normalize, and systematize least risk / highest value data to aggregate and report. PII & PCI data should be tagged appropriately to reduce risk and track where data is going. Build, use, adopt, and buy systems that implement standards like those created by RTN.
PCI 4.X promotes security as a continuing process and aims to ensure year-round security maturity. Application develop & delivery requirements signal a change in PCI stance on how transactions are processed. Places more value on digital/ecommerce/contactless and customer data protection.
Compliance is shifting from a point in time assessment to a continuous improvement and validation style process. Restaurants must begin to implement third party risk assessments to ensure vendor security capabilities, as well as disclosure requirements. Certain technology categories can make the assessment automated, but many technology stacks still require manual intervention, making this a skills, cost and availability of talent issue.
CURRENT STATE
FUTURE STATE
Heading toward cloud-based
All cloud, managed, utilizing AI/ML insights to drive operations)
Credit card focused, payment card security standards
Mobile first, QR codes, NFC, Voice based ordering, Venmo, Zelle,
Online hybrid, digital menu boards
Loyalty ordering, social media ordering, customer analytics (payment, transaction, loyalty data sets)
Fragmented, complex, gated, emerging (Omnivore, Chowly), SaaS expensive at scale
Ubiquitous, click to install, low friction, drive innovation
AI/ML, who owns the customer data, GDPR/privacy liabilities
Restaurant owns customer and data
| 13 |
POS SECURITY IMPLEMENTATION BEST PRACTICES
Vendor Risk Assessment Determining the Need for Risk Assessment Different levels of risk assessment are required depending upon the risk to the company. All acquisitions must adhere to Company Policies and Standards. The vendor must be provided with a copy of IT Policies and contractually agree to comply with all policies. Ultimately, risk assessments are an appropriate component of due diligence verification. HIGH RISK ASSESSMENT A high risk assessment is required if: • The vendor will process, transmit, or store sensitive data internally or externally. • The vendor will process payment card information on behalf of Company • The vendor will perform software development or development of IT systems on behalf of the Company. • The vendor will have administrative access to the Companies IT Systems or host IT systems in their data center. LOW RISK ASSESSMENT A low risk assessment is required if: • The vendor is providing a cloud-based solution that requires login to access non-sensitive data only. • The system is not deemed strategic by the enterprise
RESTAURANT TECHNOLOGY NETWORK
QUESTIONNAIRES • In-depth questionnaires can be based on a control based framework NIST 800-53 Rev 4, ISO 27001, Nation Cyber Security Framework, SANS, FEDRAMP, HITRUST, Arizona States Assessments • High level Questions for High and Low Risks based on controls in place • Existing questionnaire responses cloud security alliance EVALUATION CYCLE Generally, high risk systems should be reassessed every year and again during renewals. Security responses, compliance, and other issues should be addressed in contracts.
| 14 |
Remote Access Best Practices An important consideration for organizations developing a business continuity plan is the organization may not be capable of sustaining normal operations onsite. The ability to support employees working remotely is essential to ensuring both business continuity and security. The following best-practices should serve as a framework and reference for organizations needing to provide secure remote access to employees as broken down into 3 categories: General User, Power User and Super User. *Note this framework is not comprehensive but rather a starting point for businesses to expand upon based on individual requirements.
1. Create a Policy The remote access policy should complement existing policies such as, but not limited to: • Acceptable Use Policy • Data Use and Transfer Policy • Device/Endpoint Security Policy • Password Policy • Approved Software Policy • BYOD policy (All of which should be in place prior to allowing remote access) This policy should clearly state the purpose, scope and procedures to be used in the implementation and enforcement of the organization’s remote access / teleworker program. The policy should be reviewed and updated regularly (at least annually), and all changes should be tracked. (Reference Documents: ISO 27002 6.2.2 & 9.1.2 | NIST Cybersecurity Framework PR.AC-3)
| 15 |
POS SECURITY IMPLEMENTATION BEST PRACTICES
2. Select a Remote Access Solution(s) Select a remote access solution(s) that best fits an organization’s needs, meets security requirements and adequately scales to meet current and future demand. Remote access solutions come in multiple forms with the most common being; VPN, 3rd-party Tools and Direct Application Access. It is not uncommon for organizations to maintain a hybrid remote access strategy. VPN Virtual Private Networks can provide enterprise-level secure remote access by encrypting traffic from source to destination inside the VPN tunnel.
Decryption
Encryption
SOURCE
VPN TUNNEL
DESTINATION
•
IPSEC - Gateway to Gateway | Full Encryption
•
SSL/TLS - Client to Gateway | Requires Agent | Full Encryption
DIRECT APPLICATION ACCESS (DAA) 3RD PARTY REMOTE ACCESS TOOLS
3. Manage Identity and Access USER ACCOUNT MANAGEMENT • Integrate remote users with existing authentication servers (LDAP, RADIUS, etc) •
Multi-factor Authentication should be enforced
•
Least privilege methodology should be enforced ensuring access is only granted on a need to know / need to have basis. • Zero-Trust Network Access (ZTNA) should be considered to establish secure boundaries and evolve from the “Trust But Verify” methodology.
DEVICE MANAGEMENT • Whether corporate assets, BYOD, or both are used in the environment, device identification, classification and management should be used to help ensure authorized devices meet company standards and reduce the risk of unauthorized device access. •
Network Access Control should be considered to identify, classify and control all endpoints in the environment including BYOD
RESTAURANT TECHNOLOGY NETWORK
| 16 |
4. Securing Your Remote Access Solution DEPLOY A SECURE VPN GATEWAY • A VPN provides high-encryption for data transmission and support for advanced authentication algorithms. • IPsec - Use AES-256 with SHA2-512 or highest available encryption and authentication available • SSL(TLS) VPN - Use tunnel mode with support protocols below SSL v3 and TLS 1.2 disabled. Use encryption such as AES-256 or highest available • *Note split-tunneling can be used to route only designated traffic through the VPN gateway. This provides less inherent security and control unless the proper controls/ policies are in place. • Direct Application Access / 3rd Party Remote Access • These solutions may be used by organizations to provide users direct access to internal applications and services however generally lack the features, support, security and integrations of IPsec and SSL(TLS) VPN. Refer to individual provider for capabilities, support and best practices when implementing one of these platforms.
INSPECT > CONNECT > PROTECT Inspect - Perform a Forward Posture Assessment (FPA) to ensure the remote devices meets the security requirements for connection to the protected network. The FPA may include: Endpoint Protection • When connecting to a corporate environment/protected network, the security posture of remote devices cannot be assumed therefore endpoint protection should be installed and updated with current signatures and/or engine. For corporate devices, this should be validated via the endpoint protection management platform. •
Some VPN gateways allow for a host check prior to connection verifying the proper installation and version of AV products. If this feature is not available, organizations should refer to their policies regarding endpoint protection, approved software and BYOD
TRAINING Training is an important aspect in the proper usage and security of remote access. Users should be required to take part in at least year training on remote access and certify adherence to the remote access policy. Training concepts should include, but are not limited to; • • • • • •
Understanding of different remote access solutions Understanding secure connectivity (ie hotel, coffee shop, home connections) Understand HTTPS and man-in-the-middle attacks Approved software and/or applications Review of file sharing best practices and guidelines Security stewardship: “Security is Everyone’s Responsibility”
| 17 |
POS SECURITY IMPLEMENTATION BEST PRACTICES
5. Customer Data Management In the wake of new and evolving data privacy regulations such as CCPA and GDPR, remote access policy must put a greater focus on data transfer and storage. In general, it is always best practice to limit the transfer and storage of data wherever possible. When data storage and transfer is required adhering to the following best practices is important: • Any and all data communication / transmission should be done over connections with end-to-end encryption. Example; over IPsec VPN • Collection and storage of logs, configurations, user preferences, etc. should be in accordance with internal business requirements and/or security requirements. If you don’t need it don’t collect it / store it. • Users should be instructed no to save any files or work-related documents on their local device instead utilizing company approved secure data repositories • Users should be educated on the use of secure file transfer when sharing sensitive data • Secure file transfer mechanisms should require authentication to view shared information and and should allow for logging and auditing of file access/sharing • Wherever possible, implement Data Loss Prevention capabilities and ensure policies are updated regularly • Wherever possible, devices (or applicable data repository on devices) should support the ability to be wiped remotely
RESTAURANT TECHNOLOGY NETWORK
| 18 |
6. Logging, Auditing, Alerting and Reporting One of the most critical requirements of a remote access solution is ensuring comprehensive logging capabilities are available. Event logging is vital for ensuring secure connectivity and, in many cases, required in order to satisfy regulatory requirements such as PCI. Robust security logging is vital for giving context of what is occurring on the network, aiding in the identification of non-legitimate access or breach, and organizations quickly decipher whether an event was legitimate or a false alarm. While a number of compliance regulations exist, PCI DSS is most applicable for retailers. PCI DSS requirement describes the following that standards to adhere to in order to remain compliant: • Access to audit trails • Logging of users and devices with particular focus on privileged users and sensitive systems • Date and Time of events and access attempts • Success or failure of events • Origination of the event (IP, MAC, etc) • List of affected systems In general, storage of logs must be maintained for one year; however, other requirements may exist for specific businesses and according to new and evolving compliance regulations.
7. Business Continuity and Capacity Planning Operational Capacity refers to what organizations are able to produce in a given amount of time. Many variables affect operation capacity, namely being resources, efficiency, infrastructure and staffing. Under ideal conditions, operational capacity is in balance and work product output is at optimal efficiency. During a major business disruption, such as a natural disaster or pandemic, organizations must ensure they have a solid Business Continuity plan as it will enable them to serve customers even in the midst of challenging circumstances. OPERATIONAL CAPACITY AND BUSINESS CONTINUITY BEST PRACTICES • •
• • • • •
Consult with an expert or trusted partner Determine a baseline • What are the lows and highs of your b • Can your infrastructure scale to meet demand Identify critical processes and applications Build in security from the beginning Ensure network resiliency Cross-train users Document everything
| 19 |
POS SECURITY IMPLEMENTATION BEST PRACTICES
Glossary of Terms TERM
MEANING
AI
Artificial Intelligence - Replicating/ simulating human intelligence to perform tasks
API
Application Programming Language - Allows different software to communicate with each other
AV
Anti-Virus
BYOD
CCPA
TERM
MEANING
HITRUST
The Health Information Trust Alliance was founded in 2007 and uses the “HITRUST approach” to help organizations from all sectors–but especially healthcare– effectively manage data, information risk, and compliance
Bring your own device
IPSEC
The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protection for residents of California
Internet Protocol Security is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network
ISP
Internet Service Provider
CDE
Cardholder Data Environment
KPI
Key Performance Indicator
LAN
EDR
Endpoint Detection & Response - Combines real-time continuous monitoring with prediction, prevention, detection, & response capabilities
Local Area Network - Connected devices in a single physical location
MFA
Multi-Factor Authentication
ML
Machine Learning - Programs that adapt and learn without human interaction
NAC
Network Access Control - Policies for controlling devices and user access to the network
NFC
Near Field Communication Contactless means of payment/ data exchange
NOC
Network Operations Center
EPP
Endpoint Protection Platform Used to prevent and detect filebased malware attacks
FEDRAMP
The Federal Risk and Authorization Management Program is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
GDPR
The General Data Protection Regulation
RESTAURANT TECHNOLOGY NETWORK
| 20 |
TERM
MEANING
PCI
Payment Card Industry Compliance
PCI DSS
Payment Card Industry Data Security Standards
P2P/E2EE
Point to Point Encryption/End to end Encryption
PII
POS
MEANING
SOC II
The SOC 2 report evaluates a business’s non-financial reporting controls relating to security, availability, processing integrity, confidentiality, and privacy of a system
SSL/TLS
Transport Layer Security, and its now-deprecated predecessor, Secure Sockets Layer, are cryptographic protocols designed to provide communications security over a computer network
SSO
Single Sign On
UEBA/ NBA
User and Entity Behavior Analytics/ Network Behavior Analytics Users data models to set baselines for user and network behavior to spot anomalies
VLAN
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer
VPN
Virtual Private Network Encrypted connection over the internet connecting devices to disparate networks
WAN
Wide Area Network - A network of multiple networks; connectivity to the internet or other disparate networks
ZTNA
Zero-Trust Access (Network or Application) - Provides secure network and application access based on a defined set of security policies
Personally identifiable information is any data that could potentially identify a specific individual Point of Sale
SaaS
Software as a Service Cloud-hosted software without physical infrastructure
SANS
SANS Institute is the most trusted resource for cybersecurity training, certifications and research
SD-WAN
Software Defined Wide Area Network - Using software, multiple internet transport types can be used in tandem to provide reliability, prioritization, and performance of internet connectivity
SOAR
Security Orchestration, Automation, & Response Technology allows multiple inputs to be organized allowing for incident analysis and response in a digital workflow format
SOC
TERM
Security Operations Center
| 21 |
POS SECURITY IMPLEMENTATION BEST PRACTICES
RTN Vision
Join Us
In an industry built on service and entrepreneurial spirit, purposebuilt technology fuels success. The Restaurant Technology Network aspires to help restaurant professionals and solution providers work together to solve problems large and small and inspire bold ideas for the future.
If you have a vested interest in the restaurant technology industry, join us. Collectively, our members shape the industry by creating and disseminating technology standards and technical guidance to benefit members. Through our cornerstone virtual think-tank workgroup meetings, our members solve industry challenges and prosper inside a unique, collaborative environment. + VIEW OUR MEMBERS
www.restauranttechnologynetwork.com RESTAURANT TECHNOLOGY NETWORK
| 22 |