Security, compliance, and privacy

  • 6 minutes

The following issues make security and compliance a unique challenge for the retail industry:

  • A multitude of systems has always been in the retail space, from POS to CRM and other improvised systems across a wide network of stores, production centers, fulfillment centers, and corporations. Additionally, extensive apps, devices, and users have amassed across and outside of the corporate network. As the organizational barriers blur between who's in the network or not, organizations struggle to manage identities for their employees and external partners, suppliers, distributors, and even consumers, customers, or citizens.

  • Retailers are more vulnerable to cyber attacks, especially identity and software supply chain attacks. The phrase "supply chain" in this context has a different meaning than the commonly understood meaning in retail related to logistics and transportation. Software supply chain security is the security of software code, which is traced back to its original sources and used by an entity and its external service providers throughout the full development and deployment life cycle.

  • Consumer privacy is imperative, and it impacts a brand's reputation and value when it isn't protected. Retailed have to plan ahead and with trust-building at their core, seize the opportunity to define transparent, consumer-centric privacy standards

  • Increasing compliance mandates have been established across the globe that pertains to customer privacy. Nearly half of US states are developing data policy legislation, meaning that a patchwork of law is established, making compliance confusing and complex to manage.

Security, identity, and threat protection

Microsoft helps you protect against the latest threats with intelligent tools to prevent attacks and react quickly to security events.

Identity and access

Identity and access features provide:

  • Benefits of a rich set of security capabilities from Microsoft Entra ID, including multifactor authentication and fine-grained Conditional Access policies.

  • The ability to create access policies and use multifactor authentication based on specific retail personas, such as cashiers, managers, HR, and more.

  • Microsoft's principle of Zero Standing Access (ZSA) to customer data. You can use Customer Lockbox to approve or reject customer data access requests in the exceptional situation where such access is needed.

Encryption

Encryption features help you:

  • Increase compliance and protect sensitive data with customer-managed keys (CMK).

  • Use Azure private link and network isolation to help ensure private access to online services, and protect connectivity with TLS 1.2 Encryption in Transit.

  • Use endpoint encryptions, based on devices and security needs, to accommodate a complex retail ecosystem.

Threat protection

Threat protection provides you with the following benefits:

  • Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. This single solution provides alert detection, threat visibility, proactive hunting, and threat response.

  • Microsoft services undergo external penetration tests, and we recommend that customers also validate by performing independent penetration tests to keep their environment secure.

Regulatory compliance

Microsoft offers integrated compliance tools that are designed for retail.

Diagram showing Regulatory compliance. Take advantage of integrated compliance tools.

These compliance tools include:

  • Regulatory compliance checklists for different countries/regions and states
  • In-region data storage and multi-geo capabilities
  • WORM storage, surveillance, and data compliance
  • eDiscovery, investigations support, and audit logging
  • Payment Card Industry compliance (PCI DSS)
  • Information barriers

Partner solutions compliance certification

The ISO 27001 and SSAE 18 SOC 2 partner certifications accelerate your risk assessment and ensure end-to-end compliance coverage for Microsoft Cloud for Retail.

  • Partner apps are extensively validated for application security through external penetration tests, application code security analysis, and checking for common application vulnerabilities.

  • Microsoft's Zero Standing Access (ZSA) policy for partners, enforcement of multifactor authentication, and full audit logging help minimize and secure partner access to your environment with full transparency.

  • Partner data security and privacy commitments include in-region data storage, data encryption in transit and at rest, presence of data retention and disposal policies, and validation of alignment against external regulations.

  • Where applicable, Microsoft reviews partners' operational security processes and infrastructure security. This review includes checks for the presence of anti-malware and firewalls. It also includes validation of change, development, and other operational processes for the presence of adequate security and compliance controls.

  • Contractual commitments, such as unrestricted rights of audit by customer and regulator and transparency over sub processors, are extended to these partners.