Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

For any business – especially those involved in storing, processing or transmitting payment data – information is one of its most important assets. Protecting this information is vital for maintaining customer trust and brand reputation. Beyond having the right security systems, technologies and procedures in place, business owners need to make sure that each and every employee is aware of the role that they play in protecting that important asset.

At Merchant Link, we recently wrapped up our annual Security Awareness Week. Guided by our Learning and Development Team, employees participated in educational trainings and activities that reinforced company security policies and provide information on the latest security threats, challenges and trends. This week on the blog, we’ll share some of the key tips and information we learned to benefit our readers.

Who are criminals targeting?
In March, we highlighted key findings of the 2012 Verizon Data Breach Incident Report.  As in years past, hospitality, retail and financial sectors topped the list.  Criminals tend to go where there’s money to be made and these industries have a high ratio of credit card transactions.  Within these industries,  a whopping 67% of breaches occurred in smaller organizations – level 3 & 4 merchants – that typically don’t have the staff or resources to employ full time security departments.

How are attackers gaining access?
It is important to remember that most data thieves are professional criminals deliberately trying to steal information they can turn into cash.  It makes sense that they would target the “low hanging fruit”.  The Verizon report shows a substantial increase in the number of breaches directly attributed to non-compliant smaller merchants and organizations.  Statistics clearly show that targeted companies have developed a complacency or even ambivalence towards security.  Whether large or small there are a variety of ways thieves can attack your business.

Stolen login credentials are the most common access point.  These credentials are often obtained through social engineering.  Social engineering employs many methods designed to manipulate a person into providing sensitive information that can be used to access personal data, plant a virus or otherwise gain access to your network.  Almost half (46%) of stolen credentials were obtained by telephone and 37% were obtained in person-to-person encounters, according to the Verizon report. 

Accommodation/Food Service providers should also be aware that POS terminals have the highest percentage of user device compromises (35%).  Methods range from installing devices to capturing cardholder data from magnetic stripes to duplicating manager cards or installing malware applications to track keystrokes.  Merchants should ensure their POS system is listed on the PCI DSS website of validated payment applications and approved PIN security devices.

One of the most surprising things revealed in the data breach studies is that it comes down to basic common sense, which as it turns out is not all that common.  Breach studies increasingly show signs that basic security practices are not being exercised. It is similar to leaving your home or your car unlocked and wondering why you had a break in.  Business owners who do not implement basic common sense security practices simply invite an attack and compromise.

What can you do to protect your business and customers?
The good news is there are some simple, basic steps you can implement that will have a big impact on your overall security risk.

  • Implement a firewall on remote access services.
  • Change default credentials of point-of-sale (POS) systems and other Internet-facing devices.
  • If a third party vendor is handling the two items above, make sure they’ve actually completed these tasks.
  • Make sure your POS is a PCI DSS compliant application.
  • Eliminate PAN (Primary Account Number) data on-site.

Still not sure how to proceed?  Partner with a payment security expert who can offer you guidance and support on an implementation strategy that makes sense for your business. 

Finally, ask yourself this question…
The impact of a data breach to any business can be very serious.  In addition to fines and legal fees, you may completely lose the ability to process credit cards.  Consider how much time and money you have available for security awareness training and PCI compliance and ask yourself “What is my company’s reputation worth?”  Would you shop at a store or use a bank that allowed your credit card number to be stolen?

Write a Comment