CYBERSECURITY FOR

RETAIL ENVIRONMENTS
A Platform Approach

In a competitive and rapidly changing industry that’s continually targeted

by ­cyberthreats, creating a secure digital foundation is critical to success.
Palo Alto ­Networks meets the security needs of retailers by protecting
customer data and v ­ aried retail environments while streamlining s­ ecurity
operations and granting a­ ppropriate network access to employees,
­customers, suppliers and partners.

Challenges
• Provide excellent in-store
and ­online experiences while
­maintaining customer privacy
and continuous availability.
Protect Your Brand From Modern Cyberthreats With a Platform Approach
Retailers are embracing digital technologies to improve customer experiences and increase
revenue. With more devices, networks and data, retail IT and security teams need a better,
more efficient way to thwart new threats and safeguard customer information.

• Preserve brand and consumer trust.
• Protect customer data, intellectual
property, inventory, financials,
employee information and other
sensitive data.
• Protect a diverse and highly
­distributed environment, often with
limited skilled security ­personnel.
Palo Alto Networks® helps retailers around the world ensure service availability and
protect their brands, enabling them to:
• Simplify compliance by segmenting PCI assets and data.
• Protect customer PII and financial information to comply with GDPR and other
regulations.
• Grant the right people appropriate access to the right resources.
• Secure mobile and smart device access.

• Control IT and security costs. • Maintain continuous operations by securing the supply chain and logistics.

• Support smart devices, mo- • Secure cloud and SaaS use.

bility and automation without
­introducing risks.
• Meet regulatory compliance.
• Protect against cyberthreats that
are growing in speed, volume and
sophistication.
• Support modern in-store experiences while protecting customer data and
POS devices.
Palo Alto Networks Security Operating Platform helps retailers remain competitive
by capitalizing on new technologies, including cloud, smart devices, mobile devices
and ­virtualization, without compromising security or customer service. The platform
­automatically prevents cyberattacks and reduces risk through real-time visibility and
consistent security across retailers’ clouds, networks, endpoint devices and data.

Palo Alto Networks | Cybersecurity for Retail Environments | Brief 1

The platform approach reduces silos of information and manual
intervention from overburdened IT and security teams. Consolidat-
ed visibility, policy creation, management, event logging, reporting
and forensics across security capabilities simplifies operations
and compliance in addition to reducing the potential for miscon-
figurations, outdated policies or overlooked threats. Integration,
automation, speedy correlation and other tools in the platform
dramatically reduce events per analyst hour, helping retailers build
security teams or security operations centers that scale without
the need to add more staff. Existing security staff can improve
response times, focus on critical events, and spend time anticipat-
ing and foiling future attacks.
Automatically Prevent Known and Unknown Threats From
­Affecting Availability or Reputation
Employees and contractors may unwittingly or deliberately put the
network or your company’s reputation at risk by following phishing
links in emails or downloading files, including ransomware. With
new malware created every minute, retail IT teams must constantly
update their security posture, often manually, to remain effective.
The Security Operating Platform automatically prevents cyberat-
tacks with coordinated anti-malware, web content filtering and
zero-day attack prevention, enabling you to embrace new technol-
ogies that improve your competitiveness while vastly reducing the
operational burden on your IT and security teams.
Palo Alto Networks advanced threat analysis environment con-
ducts static and dynamic analysis of suspicious content, even if it’s
encrypted, in both virtual and bare metal environments. It discovers
brand-new threats never seen anywhere in the world, triggers the
creation of new protections and automatically delivers them to
all platform sensors in as few as five minutes. Security appliances
are continuously updated with intelligence on new phishing and
malware sites, malicious links in emails, and command-and-control
infrastructure, blocking any part of such attacks. The platform
identifies and prevents malware from SaaS applications and public
cloud environments from infiltrating retailer networks.
Retailers can even block employee credentials from being sent to
unrecognized websites, foiling phishing attempts to steal user-
names and passwords.
“Palo Alto Networks technology enables us to accurately
identify and control applications by user, scan content to stop
threats in real time, and prevent data leakage. The company’s
next-generation firewalls help us to create granular, mission-rel-
evant security policies and safely control applications, instead
of the ‘block-all-or-nothing’ approach offered by traditional
port-blocking devices.”
– Christian Brennsteiner, technology architect, SPAR Austria
Group
Reduce Risk and Enable Compliance With the Zero Trust ­
Security Model
Simple-to-manage yet granular network segmentation is key to
enabling compliance and preventing successful cyberattacks while
serving the diverse needs of employees, store employees, custom-
ers, suppliers and other valid network users. Palo Alto Networks
platform appliances, whether physical or virtual, segment networks
to reduce the chance of threats moving through them and provide
Palo Alto Networks | Cybersecurity for Retail Environments | Brief
another level of access control to sensitive data or applications,
enabling retailers to:
• Protect valuable systems, such as POS systems or ­customer
databases, in their own network segments, ensuring
least-privileged access while continuously scanning for
threats and data exfiltration.
• Host modern in-store experiences, including customer Wi-
Fi, smart displays and employee intranet, without adding
risk to corporate systems.
• Leverage user information from a wide range of repositories,
allowing IT teams to identify users and groups, not just IP
addresses.
• Grant or deny user access to network segments hosting
certain functions, such as supplier access to automation or
HVAC systems, providing another layer of security beyond
usernames and passwords.
• Prevent threats from spreading in the data center using
east-west segmentation in virtualized public or private
environments.
• Give administrators valuable insight that can prevent security
incidents with near-real-time, easily understandable reports.
“With Palo Alto Networks and VMware, we know we have a
partner we can trust, whether we are talking about improving
our processes, adding agility to serve customers, or securing the
data and transactions that run over our network.”
— Tim Melvin, senior director, Global Solutions Delivery,
Columbia Sportswear
For PCI or data compliance, virtually segmenting cardholder and
customer data environments from the rest of the network with
Zero Trust is a best practice that enables retailers to:
• Restrict access to regulated data by allowing only verified users
and applications to access the environment, blocking all else.
• Use data filtering policies to prevent credit card numbers
from leaving the environment.
• Reduce the scope of compliance for a PCI or PII audit to just
the cardholder or customer data environment.
• Simplify audits by identifying users accessing the
­environment, instead of IP addresses.
Using the threat intelligence and advanced endpoint ­protection
capabilities of the platform, retailers can:
• Meet or exceed IPS requirements and prevent lateral
­movement of malware.
• Prevent malware from installing on POS terminals,
­thwarting even insider threats from those with physical
access to terminals.
• Streamline ongoing compliance by making use of automated
updates across endpoint, network and cloud locations.
• Simplify compliance through reporting, logging and audit
trails that are integrated and centralized.
2
 Figure 1: Palo Alto Networks Security Operating Platform
The Security Operating Platform
The Palo Alto Networks Security Operating Platform prevents
successful cyberattacks through automation. It is easy to
operate, with enforcement points and shared intelligence that
work together at network speed to prevent ever-changing
threats from affecting your uptime, computers, networks or
data. Accurate analytics allow you to streamline routine tasks
and focus on business priorities. Tight integration across the
platform and with ecosystem partners delivers consistent
security across clouds, ­networks, computers and mobile
devices. Among the core elements:
• Network security employs next-generation firewalls
to protect networked services ranging from stores and
distribution centers to data centers. Integrated network
security clients extend security policies and protections
to laptops and mobile devices, whether they are in-store
or at the coffee shop.
• Advanced endpoint protection safeguards servers,
clients and mobile devices against the latest vulnerabil-
ity exploits, ransomware and other malware delivered
via any method, including email, USB drives or other
attached devices, and other channels.
• Cloud security provides the same protections as the net-
work security components for private, public and hybrid
cloud environments, as well as SaaS applications. Deep
integration with native cloud services and automation
tools speeds up multi-cloud deployments.
Scale With Consistent Security at Every Location
Since retail locations vary in size, function and security needs,
retailers often choose different network security vendors for
their small and large stores, distribution centers, headquarters
and data centers. This fragmentation results in greater over-
head for security teams, who must learn and manage several
point products. Fragmented network security also limits threat
visibility and makes compliance complex, with threat detection
and device event reporting that are time-consuming to correlate,
if not entirely separate.
Palo Alto Networks | Cybersecurity for Retail Environments | Brief
Cloud-delivered security services employ global intel-
ligence to filter content as well as detect threats and
attackers. These services automatically create protections
against new threats and attacks as well as continuously
update endpoint, network and cloud sensors.
Palo Alto Networks has recently opened up the platform,
enabling you to swiftly take advantage of security innovations
that meet the unique needs of your retail environment.
• Application Framework enables rapid development of
custom and third-party applications that make use of
data from the Logging Service and other cloud-delivered
security services.
• Logging Service provides a secure, cloud-based reposi-
tory for all application and appliance data logs, collecting
data from various sources while eliminating the burden of
scaling and maintaining on-premise compute and storage.
Palo Alto Networks apps include:
• Behavioral analytics that helps discover anomalous and
malicious user or application activity inside the network.
• Contextual threat intelligence service for malware analyt-
ics and hunting tools for SOC teams.
For more information on the Palo Alto Networks Security
­Operating Platform, please visit https://www.paloaltonetworks.
com/products/security-operating-platform.
Palo Alto Networks offers a range of platform sizes and virtual
deployments for a variety of environments, bringing consistent
visibility, control, threat posture and security policies to every
location. This means:
• Stores that are linked back to a central data center via
MPLS can backhaul security functions to a large next-­
generation firewall.
• Stores that have more advanced security or local ­internet
needs can choose one of several on-premise security
­appliances sized for a variety of remote environments.
3
 • Larger stores or distribution centers can integrate Palo Alto
Networks Security Operating Platform into their on-­­­premise
virtualization environments to maximize flexibility and simpli-
fy operations.
• Platform components include all suitable protections for
internet gateway and perimeter uses.
• Data centers can deploy stand-alone appliances or lever-
age virtualized platforms to segment east-west traffic and
secure communications with external partners, protecting
the supply chain.
Safely Enable Cloud Use and SaaS Applications
With Palo Alto Networks virtualized platform deployments,
retailers can extend the security of the on-premise network to
public and private clouds. You can protect Amazon® Web Services,
Microsoft® Azure® and Google® Cloud Platform environments
and private clouds from advanced cyberattacks while providing
application-level control between workloads, consistent policy
from the network to the cloud, fast deployment and dynamic
security policy updates as workloads change.
SaaS applications are traditionally invisible to IT. Palo Alto
­Networks solves this problem by providing full visibility into
the day-to-day activities of employees using SaaS applications,
such as Microsoft Office 365®, Workplace by Facebook®,
­ServiceNow® and many more. Once you determine which
applications you want to sanction and tolerate, granular security
policies block unsanctioned SaaS apps. SaaS security then blocks
any malicious files from SaaS environments and enforces granular
security policies across users, folders and file activities, protecting
your data that resides in SaaS applications.
Enable Modern In-Store Experiences While Protecting Customer
Data and POS Devices
Retailers are employing digital technologies in stores to reduce
costs, improve customer experiences and increase sales. The
Palo Alto Networks Security Operating Platform includes
­multiple features that reduce risk and increase visibility in
modern store environments:
• The platform integrates with leading network access of-
ferings for the mobile enterprise, enabling secure in-store
Wi-Fi for customers and employees as well as devices, such
as tablets, smart displays and kiosks. Customers enjoy a
secure Wi-Fi environment that limits exposure to threats
while stores gain valuable control and visibility over what
customers are doing on the network.
3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
• A network security client makes use of a secure VPN to add
a layer of security to store-owned mobile devices, such as
tablets for mobile checkout or stock checking, and enforces
acceptable use policies.
• Virtual network segmentation separates customer Wi-Fi
­access from employee intranet zones and zones that commu-
nicate with POS terminals or handle sensitive customer data.
• Advanced endpoint protection pre-emptively protects store
services and computers from zero-day malware, known and
unknown threats, and exploits.
Increase ROI With Palo Alto Networks Offerings for Retail
Eliminating point products increases the speed and efficacy of
threat prevention while reducing costs and management over-
head. Retailers may start with one capability and add new ones
to the platform over time, growing protection levels without the
cost and complexity of installing and managing new network
devices. Each security capability automatically correlates insights
on emerging threats across endpoints, data centers, SaaS and
cloud resources, ensuring fast responses to any threat without
manual intervention. As you add security capabilities, coordination
increases, as does your return on investment.
Getting Started
Start by gaining visibility into the users, applications and content
on your network. Sign up for a free Security Lifecycle Review.
This non-disruptive process will help define top risks due to
usage, unknown applications, malware and more.
Customers in more than 150 countries and in every industry
rely on us to improve their cybersecurity posture. For more
information on Palo Alto Networks, please visit https://www.­
paloaltonetworks.com­/company/about-us.
For more information on how we protect retail networks
­worldwide, please visit https://www.paloaltonetworks.com/­
solutions/industries/enterprise/retail.
© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered
trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
cybersecurity-for-­retail-environment-sb-053018