Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ Compliance ’

For any business – especially those involved in storing, processing or transmitting payment data – information is one of its most important assets. Protecting this information is vital for maintaining customer trust and brand reputation. Beyond having the right security systems, technologies and procedures in place, business owners need to make sure that each and every employee is aware of the role that they play in protecting that important asset.

At Merchant Link, we recently wrapped up our annual Security Awareness Week. Guided by our Learning and Development Team, employees participated in educational trainings and activities that reinforced company security policies and provide information on the latest security threats, challenges and trends. This week on the blog, we’ll share some of the key tips and information we learned to benefit our readers.

Who are criminals targeting?
In March, we highlighted key findings of the 2012 Verizon Data Breach Incident Report.  As in years past, hospitality, retail and financial sectors topped the list.  Criminals tend to go where there’s money to be made and these industries have a high ratio of credit card transactions.  Within these industries,  a whopping 67% of breaches occurred in smaller organizations – level 3 & 4 merchants – that typically don’t have the staff or resources to employ full time security departments.

How are attackers gaining access?
It is important to remember that most data thieves are professional criminals deliberately trying to steal information they can turn into cash.  It makes sense that they would target the “low hanging fruit”.  The Verizon report shows a substantial increase in the number of breaches directly attributed to non-compliant smaller merchants and organizations.  Statistics clearly show that targeted companies have developed a complacency or even ambivalence towards security.  Whether large or small there are a variety of ways thieves can attack your business.

Stolen login credentials are the most common access point.  These credentials are often obtained through social engineering.  Social engineering employs many methods designed to manipulate a person into providing sensitive information that can be used to access personal data, plant a virus or otherwise gain access to your network.  Almost half (46%) of stolen credentials were obtained by telephone and 37% were obtained in person-to-person encounters, according to the Verizon report. 

Accommodation/Food Service providers should also be aware that POS terminals have the highest percentage of user device compromises (35%).  Methods range from installing devices to capturing cardholder data from magnetic stripes to duplicating manager cards or installing malware applications to track keystrokes.  Merchants should ensure their POS system is listed on the PCI DSS website of validated payment applications and approved PIN security devices.

One of the most surprising things revealed in the data breach studies is that it comes down to basic common sense, which as it turns out is not all that common.  Breach studies increasingly show signs that basic security practices are not being exercised. It is similar to leaving your home or your car unlocked and wondering why you had a break in.  Business owners who do not implement basic common sense security practices simply invite an attack and compromise.

What can you do to protect your business and customers?
The good news is there are some simple, basic steps you can implement that will have a big impact on your overall security risk.

  • Implement a firewall on remote access services.
  • Change default credentials of point-of-sale (POS) systems and other Internet-facing devices.
  • If a third party vendor is handling the two items above, make sure they’ve actually completed these tasks.
  • Make sure your POS is a PCI DSS compliant application.
  • Eliminate PAN (Primary Account Number) data on-site.

Still not sure how to proceed?  Partner with a payment security expert who can offer you guidance and support on an implementation strategy that makes sense for your business. 

Finally, ask yourself this question…
The impact of a data breach to any business can be very serious.  In addition to fines and legal fees, you may completely lose the ability to process credit cards.  Consider how much time and money you have available for security awareness training and PCI compliance and ask yourself “What is my company’s reputation worth?”  Would you shop at a store or use a bank that allowed your credit card number to be stolen?

by Tim Kinsella

My kids are like most kids.  They are into most sports, particularly baseball and basketball, and hanging out with friends.  More recently, video games have taken their place in our household.  So when I saw that there was a major security breach on the PlayStation Network, I realized that my world and my kid’s world had collided.

My immediate response was to make sure that my credit card information was safe.

Thankfully, all the credit card information on the system was encrypted preventing the hackers from obtaining this valuable data. Unfortunately, not all the data was encrypted leaving the 77 million users still vulnerable to some kind of identity theft.

It got me thinking about security standards.  Most credit card merchants today realize the impact of a breach. We’ve been educating merchants for years on using tokenization and encryption solutions to protect sensitive payment data.  So why don’t all companies utilize encryption or tokenization solutions to protect their customers’ data? And if they do, why aren’t they using encryption for all important data?

The Payment Card Industry Security Standard sets requirements for companies that process credit card information in order to prevent theft or fraud. One requirement is to encrypt any data that is transferred on public networks.  The fact is that all data that can be used for fraud needs to be evaluated and protected.  Being compliant is not enough…rather it is just the beginning.  Too many merchants believe that compliance equals data security.  In reality, compliance is a step toward true data security.  In the end, it is safer for companies to completely remove this data from their system.

When personal and financial information can be threatened, merchants need to take greater measures to protect this vital data and to ensure the confidence of their customers.

Meanwhile, I have since turned off the gaming consoles and encouraged my kids to pick up a book instead.

by Tim Kinsella

When Visa released its suggested best practices for tokenization on July 16th, those of us in the industry knew it was just the beginning of a much broader debate on what these guidelines meant and whether or not they really were the best practices.

Merchant Link’s stance is very clear: while Visa’s best practices are a good start and we laud their endorsement of tokenization, there is more to be done. Just what needs to be done and how it needs to happen should be a source of great debate among not only solution providers, but also merchants.

Ericka Chickowski has certainly added to the debate in her recent piece in Dark Reading where she offers four best practices for tokenization. Her suggestions focus on:

1. Generating random tokens
2. Engaging a third party solution to create robust solutions
3. Ensuring that the server is PCI-compliant
4. Creating a multifaceted solution – one which includes both tokenization and encryption

What do you think? Leave us a comment with your insights.

by Scott Franklin

Often, the thought of improving your company’s data security posture seems overwhelming. Not only are there questions of what to secure, but larger questions often arise about the desired end-state and how best to overcome the numeorius obstacles that arise when implementing any security or compliance program. For example, should compliance be the desired end-state, or is a broader notion of security a more appropriate goal? Equally, should data security be treated solely as a technology problem, or is it better to treat it as a business problem and push for board-level visibility?

Before too many possibilities start swimming in your head, here are 8 steps to help simplify your thinking:

1. Know where and how any PCI-related data, or other sensitive information, is stored, processed, or transmitted throughout your organization. This can be done by identifying all systems, processes, and interaction points that involve the acceptance, storage, processing, and transmission of credit card data. Consider how you manage and secure paper and electronic documents that contain sensitive data as well as what happens to any recorded Voice over IP calls. As part of that process develop an understanding of who has access to this sensitive data and consider limiting access based on user roles.

2. Know what is on your network and how your network is accessed. Inventory management is an important first step in improving your company’s data security posture. While taking stock of legitimate computers and WiFi access points, your IT team should also be on the lookout for rogue computers, insecure remote access points, and open wireless networks. One often overlooked source of access in hotels is a co-mingled guest/hotel business network. For the protection of all parties, the guest network and the hotel business network should both be protected by firewalls and maintain fully independent infrastructure.

3. Make security and compliance everyone’s responsibility. Remember that compliance is not just an IT security problem, it’s a business issue, and to be effective, it requires all employees to support and enforce the effort. Awareness campaigns are just the beginning of a more rigorous educational effort to promote awareness of organizational policies and procedures from the C-suite to the front desk.

4. While it’s tempting to store every last piece of data, a prudent company will retain data only as long as its required for business purposes and not a day longer. While this applies broadly to all data, it is particularly important to keep customer data no longer than absolutely needed. The bottom line here is that cyber thieves can’t steal what you don’t have; if you don’t have customer data hanging around, there’s nothing to steal!

5. Develop an Information Security (or Data Security) Plan/Program that addresses both internal and external threats. Make sure the plan covers all aspects of data security and protection and addresses all key constituents, including vendors, contractors, and partners. And then educate, educate, educate!

6. Make sure you’re using the right tool for the job. Tokenization and end-to-end encryption solutions can help provide protection of sensitive data throughout the entire operational life cycle. Using solutions such as these will reduce your PCI burden, result in bottom-line savings, and generally enhance the overall security posture of your company. Consider also using PCI compliant PMS systems (PA-DSS) and use TRSMs when possible.

7. While some aspects of your new data security plan do require spend, there are many steps that can be taken inexpensively (but have excellent return on investment), and some that are entirely free. For example, the use of strong passwords that are changed regularly (and always changed when new systems are installed) is completely free and an incredibly effective technique to increase your security posture. Another freebie is to update systems regularly; implement a patch management program to make sure all OS and application patches are installed in a timely fashion and make sure that unnecessary accounts are removed from systems. Other low-cost solutions include using endpoint protection software, such as anti-virus software, deploying firewalls, and conducting regular web application security scans.

8. And finally, don’t be afraid to ask for help. Your vendors should be able to assist you with rudimentary PCI compliance questions. At Merchant Link, key members of our team participate in PCI Council working groups and related industry forums so we are up to date on the latest information and can share our knowledge with our customers. For more daunting questions, consider engaging a QSA or another bona fide security expert for advice and guidance. While this may require upfront expenditure, the fee is going to be much less expensive than a breach. Then, just as you have an evacuation plan for a physical security emergency, consider developing a breach response plan so you know who to contact if a breach occurs – key contacts include the merchant bank as well as federal and state law enforcement agencies.

Remember, you’re not alone. Given that every organization that touches a credit card transaction is affected by PCI compliance issues there are thousands of IT security professionals facing the same complexities and similar issues to you. Listed below are some of my go-to security resources:

https://www.pcisecuritystandards.org/index.shtml
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
http://www2.visaeurope.com/documents/ais/hotelbreach_europe_2.pdf
http://www.crowell.com/pdf/SecurityBreachTable.pdf

by Beth McGarrity

It’s always interesting to find out what security practitioners, those out in the field, think about the security and compliance challenges they face day in and day out as they secure their networks and customer data.

A few months ago, when we were at the RSA show, we interviewed Jason Stead of Choice Hotels International to find out his thoughts about the security and compliance conundrum.  Does being compliant mean that a company is secure?  Or should compliance be a byproduct of best practice security activity?

Watch the video below to hear Jason’s thoughts.