The retail sector is no novice when it comes to adopting digitisation of processes, with card machines, surveillance cameras and self-checkouts forming just some of the digital practices used across major retailers. The uptake in these technologies has improved day-to-day operational efficiency, often reduced costs and has enhanced customer experiences. However, with the growing digitisation of activities, retailers are finding that previously simple systems have become complex and require a lot of focus in order to meet regulations or customer expectations.
In this article, we explore how Software-Defined Wide Area Network (SD-WAN) solutions offer a simple solution for retailers, combining flexible connectivity, improved network performance and security enhancements, to fulfil these needs.
Regulatory Compliance and Standards
PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that mandate how companies should accept, process, store and transmit credit card information, ensuring that they maintain a secure environment in order to facilitate this. With the vast majority of retailers accepting card payments, the PCI DSS rules are of essential importance to the retail sector.
These rules, enforced since 2004, were put in place to increase control over cardholder data, reducing the risk of credit card fraud due to improperly handled credit card information. Compliance is therefore crucial for businesses, with a $5000 to $50,000 variable fine for non-compliance and that’s without including legal or settlement amounts.
SD-WAN can assist with meeting these strict requirements, offering retailer networks with segmentation functionality and secure communication protocols. SD-WAN efficiently segments the network, splitting traffic up based on features such as application, protocol or priority. The separation of payment card data from other network traffic minimises the risk of payment traffic being exposed to other systems, which in the event of a breach, keeps card data isolated and outside the attack surface to prevent breaches. Segmenting this traffic also reduces the complexity of implementing rigorous security, reduces the scope of PCI compliance and simplifies future audit processes.
GDPR (General Data Protection Regulation)
For retailers operating within the UK and Europe, the General Data Protection Regulation (GDPR) has required that personal data must be processed for specific, explicit and legitimate purposes, whilst also being processed securely and maintain integrity. Since its introduction in 2018, retailers have had to consider how they process and protect personal data in Customer Relationship Management (CRM) systems, e-commerce platforms, customer service platforms and payroll systems, to name a few.
SD-WAN is an essential tool for retailers to ensure data protection and privacy across these systems, offering encryption and secure data transmission capabilities that help to adhere with the security requirements of GDPR. With SD-WAN, retailers can implement strong access controls and monitor data flows to evaluate vulnerabilities and view, with confidence, that they are maintaining GDPR compliance.
CCTV and Surveillance Regulations
For retailers, protection isn’t only limited to network activities but also extends to the physical world through CCTV and surveillance systems. In the UK, businesses must comply with the Data Protection Act 2018 and the UK GDPR, which require the lawful, fair, and transparent processing of personal data captured by CCTV. Similarly, in North America, regulations such as the California Consumer Privacy Act (CCPA) in California and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada enforce strict guidelines on the use and protection of CCTV data, ensuring consumer privacy and data security.
This means that retailers must put security systems in place in order to manage their surveillance systems and SD-WAN facilitates this by providing secure and efficient transmission of CCTV data across multiple retail locations. This not only fulfils the security requirements of the regulations but also reduces the complexity of managing multiple sites surveillance systems, ensuring overall compliance with surveillance regulations.
Key Considerations for SD-WAN in Retail
Data Protection and Security
GDPR isn’t the only regulation for protecting retail customer’s personally identifiable information (PII) and financial data. The California Consumer Privacy Act (CCPA), focusing on consumer rights and data protection for residents of California, which is similar to GDPR.
Some of the security features that SD-WAN implements to enhance retail security are encryption, intrusion detection, and real-time monitoring of traffic. These features provide a secure network for retailers, helping to meet data protection criteria by safeguarding sensitive data, which in turn maintains customer trust.
Stock Control and Inventory Management
Arguably the most important system for retailers is an Inventory Management System (IMS) or stock control system. Without it, retailers are left in the dark as to what stock needs re-ordering and how much of each item is on display shelves. This problem is also magnified when considering large scale retailers, who are dependent on cloud-based IMS and downtime to these systems can be detrimental to business operations. Retailers therefore deem protecting these systems crucial for day-to-day activities, alongside real-time connectivity to ensure data is not outdated.
SD-WAN enables the seamless integration of inventory management systems, providing retailers with real-time stock tracking and control. By also integrating with cloud services, SD-WAN can create a reliable connection for multiple sites, interconnecting point-of-sale (POS) systems and stock systems, whilst also reducing potential downtime. These improvements over traditional WAN networks means that retailers can optimise their inventory management processes, which can also yield greater operational efficiency and profits.
Network Segmentation
One of the key security features that SD-WAN provides for retailers is it’s network segmentation capability. Network segmentation isolates network traffic, applications or data into their own subsections of the network. Often considered as a foundational security strategy, segmentation can be utilised to improve network performance and also to prevent lateral movement in the event of a breach. This allows retailers to create isolated network segments for different operations, such as Point-of-Sale (POS), CCTV, and customer Wi-Fi. By introducing network segmentation, retails can reduce the attack surface from potential breaches, ensuring security compliance by preventing unauthorised access between segments through lateral movement.
UK vs. North American Compliance Differences
UK Compliance Requirements
In the UK, due to GDPR and the Data Protection Act, SD-WAN deployments in the UK retail sector must prioritise data privacy, secure data transmission, and granular access controls to meet these requirements.
North American Compliance Requirements
For North America, while GDPR may not directly apply, retailers should still prioritise data protection and privacy, especially if they offer services that are still accessible for UK or European-based consumers.
Due to GDPR not being as much of a concern of North American retailers, PCI DSS is the primary compliance standard for retailers. When choosing an SD-WAN solution, IT decision makers must select an SD-WAN solution that is PCI-compliant and provide security features to protect payment card data.
Best Practices for Implementing SD-WAN in Retail
Choosing a PCI-Compliant SD-WAN Solution
Retailers should select a PCI-compliant SD-WAN vendor that provides the necessary security features. An example of a PCI-compliant SD-WAN solution offers segmentation to isolate credit card traffic from other systems, ensures reliability of connections and provides reporting functionality to simplify the audit compliance process. We would recommend that retailers select an SD-WAN vendor that has achieved PCI DSS Attestation of Compliance (AoC) as a Level 1 Service Provider, the highest security standard but, failing that, retailers should at a minimum ensure the SD-WAN solution is PCI-compliant. This can significantly reduce the scope and cost of your own PCI compliance efforts, which reduces complexity and costs for your network administrators.
Implementing Strong Access Control Measures
When focusing on protection of any system through access control, the best way to ensure protection is to deny all access. Whilst this isn’t practical, retailers can utilise SD-WAN solutions Principle of Least Privilege (POLP), in which users, devices and applications are only granted the minimum access required to conduct their duties. This granular access control and network policy enforcement, ensures that only authorised personnel can access sensitive data and systems, helping to adhere to GDPR and PCI DSS requirements, whilst also providing protection for POS terminals to limit the impact of potential breaches.
Regular Monitoring and Testing
Given that the threats that retailers face are frequently changing and becoming more complex, by continuously monitoring network activity and conducting in-depth vulnerability assessments, retailers can maintain a secure SD-WAN network that protects their systems and helps to meet regulatory requirements. Advanced SD-WAN solutions provide a unified view of network traffic and security systems in action, which can be used alongside vulnerability testing.
It is essential that retailers conduct regular vulnerability scans and penetration tests of the network, as this helps to identify and address potential security gaps, ensuring ongoing compliance. These tests are a requirement for retailers to be considered PCI DSS compliant, with the audit process being assisted by retailers choosing a PCI-compliant SD-WAN vendor.
Conclusion
Retailers face a wide array of networking complexities, ranging from operational efficiency, connectivity, security and regulatory compliance. By choosing the correct SD-WAN solution to suit their needs, retailers can utilise features such as network segmentation, secure data transmission and real-time monitoring to meet compliance criteria for regulations such as PCI DSS and GDPR. Other integrations, such as for surveillance systems and inventory management systems are also essential for maintaining day-to-day activities.
