Implementing Layered Security for the POS
GET RID OF DEFAULT PASSWORDS Cybersecurity firm Trustwave reports that close to 90 percent of payment card readers (including the device and software) currently use the default factory-setting that comes with the equipment and is easily found online by wouldbe attackers. Criminals then use these passwords to hack into the POS devices and infect them with malware that steals payment data. A good number of merchants don’t even know they need to change factory-installed passwords. Additionally, their equipment reseller isn’t changing them when they set it up for the first time, nor do they change it when they do maintenance.
I
n 400+ investigations conducted by the U.S. Secret Service last year, improper payment platform set up and maintenance was found to be the common point of compromise. It’s important to realize that criminal hackers use a variety of methods to steal data. Tactics such as “skimming” target the POS hardware - while phishing attacks focus on software. The PCI Security Standards Council stresses the importance of taking a layered approach to security – people, processes and technology - which protects each facet of the payment environment. Consider the following: Use secure payment software for point-of-sale. Choose a payment application that has been validated against PCI SSC requirements. Install secure point-of-sale devices. Select an approved PIN Transaction Security Device from PCI SSC list of approved devices. Use trusted and vetted technology partners. Work with a Qualified Integrators and Resellers (QIR). These technology partners are educated in secure installation of point-of-sale devices in a manner that facilitates PCI DSS compliance. Encrypt data. Use a PCI Point-to-Point Encryption solution to improve security
Businesses need to insist that passwords on systems are changed from the default ones the product came with to something that is difficult to guess – such as combining upper case letters, numbers and special characters, or using a passphrase. Update these passwords regularly, and especially after outside contractors do hardware, software or pointof-sale system installations or upgrades.
LOCK DOWN REMOTE ACCESS Weak passwords or weak remote access security contributed to 94% of POS breaches investigated by Trustwave in 2014. Merchants are often not aware that remote access is left persistently running – that is, outside vendors have access to
and simplify PCI DSS compliance efforts. These lab-tested products and providers guarantee the strongest encryption protections for payment data.
their system whenever they want. Or the possibility that this remote access could be exploited by an attacker. PCI DSS requires that remote access should only be enabled if and when it needs to be used, but often times businesses don’t even know it exists. The key recommendation here is to disable it until it needs to be turned on. Merchants need to insist with their POS reseller that this is the case. When it is turned on, organizations need to be able to confirm that the service and tools used are safe– up to date,
configured correctly and security best practices are applied. Remote access should be monitored whilst it is in use, to provide assurance that it is only to be used to access the systems necessary and only during approved times. Using two-factor authentication is another important security control and PCI DSS requirement. Two-factor authentication requires users to identify themselves with a combination of different components from “something you know”, such as a password or passphrase, “something you have”, such as a Payment Quarterly | Q4 2015
19