Important Notice
This guide is for informational purposes only and does not constitute legal or professional advice. Cybersecurity is the responsibility of each retailer, and it is essential to assess your business's specific risks and requirements. While we aim to provide general best practices below, we strongly recommend consulting a qualified cybersecurity expert to ensure your business meets appropriate security standards.
Staff Training & Awareness
Train all staff, especially those handling POS systems, customer data, or admin panels.
Educate employees on phishing, social engineering, and recognizing suspicious links.
Conduct regular refresher courses and simulate phishing emails to build awareness.
Access Control
Implement role-based access control (RBAC)—staff should only access what they need. You can find more about access levels in Cloud POS in the following HowTo: Managing Cashiers // Security Levels Explained.
Ensure each staff member has an individual user account (never shared) with audit logging.
Cloud POS also provides an optional IP Whitelisting functionality, which allows you to control access to Cloud POS by specifying which IP addresses can access the system. There is more about this in the following HowTo: How do I restrict access to Cloud POS by IP address?
NB, whitelisting should be used with care, as it is possible to lock yourself out by mistake. We'd recommend contacting the Support Team for assistance if required before or after enabling whitelisting.
Multi-Factor Authentication (MFA)
Require MFA on all supported systems, including Citrus-Lime products and any other admin dashboards, email accounts, and CRM platforms.
Use authentication apps like Authy or Google Authenticator, or hardware security keys for sensitive access.
You can find more about MFA for Citrus-Lime products in the following HowTo: How do I set up and use 2FA for my Cloud POS group?
Device Management
All business devices (POS, tablets, staff PCs) should have:
Antivirus software
Automatic OS/software updates
Remote wipe capability for lost/stolen devices
Mobile Device Management (MDM) for company-owned mobile devices
Incident Reporting Policy
Make it easy and mandatory for staff to report security incidents or suspicious activity.
Ensure a clear escalation process is in place for reporting threats.
Network & System Setup Best Practices
Secure Wi-Fi & Networking
Separate guest/customer Wi-Fi from internal business networks.
Use WPA3 encryption, strong passwords, and MAC address filtering.
Regularly change Wi-Fi credentials and avoid using default router settings.
Firewalls & Intrusion Detection
Use hardware firewalls for all store locations.
Deploy Intrusion Detection/Prevention Systems (IDS/IPS) like Snort or Suricata.
VPN for Remote Access
Require a secure VPN for remote staff access.
Protect VPN access with Multi-Factor Authentication (MFA).
Endpoint Protection & Patch Management
Automate patching for all devices and systems.
Maintain an inventory of all devices and conduct regular audits.
Data Encryption
Encrypt sensitive files and store them securely in the cloud.
Backup & Recovery
Use ransomware-resistant backup solutions and ensure regular backups.
In-store Payment Security
Ensure PCI-DSS compliance if handling card payments in store.
Never store cardholder data directly.
Your Citrus-Lime eCommerce website does not store or collect cardholder data directly, and only works with PCI-compliant payment partners to ensure security of payment data online.
Legal & Compliance (UK-Specific)
Comply with UK GDPR: collect only necessary data, store it securely by protecting your accounts with strong credentials and MFA, and allow customers to access or request anonymisation/deletion of their data.
If you'd like to know more about anonymising data in Citrus-Lime products, you can find this in the following HowTo guides:
Cloud POS // How do I anonymise Customer Information in Cloud POS?
Cloud MT // GDPR & The 'Right to be forgotten'
Customer Rewards // How do I anonymise customer information in Customer Rewards?
Appoint a Data Protection Officer (DPO) if legally required.
Register with the ICO (Information Commissioner’s Office) if processing personal data.
Optional but Recommended
Annual penetration testing of your eCommerce website or vulnerability assessments.
Obtain Cyber Essentials certification—a UK government-backed scheme to guard against cyber threats and demonstrate cybersecurity commitment.
By implementing these cybersecurity measures, you can better protect your retail business, customer data, and financial assets.