4 minute read
Posed by PCI NonCompliance
• Compromised data that negatively impacts consumers, merchants, and financial institutions.
• Severely damaging your reputation and your ability to conduct business effectively, not just today, but into the future.
Advertisement
• Account data breaches that can lead to catastrophic loss of sales, relationships, and community standing; plus, public companies often see depressed share price as result of account data breaches.
• Lawsuits, insurance claims, canceled accounts, payment card issuer fines, and government fines.
• PCI Compliance, as with other regulatory requirements, can pose challenges to organizations that are not prepared to deal with protecting critical information. But, protecting data is a much more manageable task with the right software and services. Choose a data loss prevention software that accurately classifies data and uses it appropriately so you can rest more easily knowing that your cardholder data is secure.
Best Practices
• The Payment Card Industry Data Security Standard (PCI-DSS) aims to enhance security for consumers by setting guidelines for any company that accepts, stores, processes, or transmits credit card information — regardless of the number of transactions or the size of those transactions. Because of that, there are thousands of organizations spanning practically every industry that must comply with these standards.
• Maintaining compliance is a top priority.
1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks
• There are two methods by which POS data is stolen:by compromisingthe POS system itself using stolen credentials or by physically installing“card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, stealpaymentcard data and PIN informationdirectly off the card’s magneticstripe. While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers has yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.
2. Ensure that Both POS and OS Software Is Up-to-Date
• Because cyber security is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updatesto address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operatingsystem software; retailers and restaurants that are running Microsoft Windows should ensure that patchesare installedas soon as they are available.
3. Always Change Default Manufacturer’s Passwords
• Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system.
• Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password.
• Changing default passwords is required as part of an organization’s compliance with PCI-DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.
4. Isolate the POS System from Other Networks
• Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system. The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.
5. Always Purchase POS Systems from Reputable Dealers
• Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.
6. Your number one priority is protecting your cardholder data (CHD). PCI has a very comprehensive set of rules to accomplish protection, but your company can keep the following best practices in mind when striving for PCI compliance.
• Segment your data – It is imperative to keep your CHD segmented from your standard company data. This entails creating a cardholder environment (CHE) that only deals with CHD. This not only protects your data but it also reduces the scope of your PCI audit.
• Encrypt your data – All CHD should be encrypted, or tokenized, from the moment you interact with your customer’s card number. This also includes ensuring this data is encrypted while at rest.
• Control access to your data – Role-based access controls (RBAC) will make your PCI compliance much easier. RBAC will ensure your HR department has no access to CHD and your system administrators have the access they need.
• Monitor your data – Set up alerts for security incidents involving CHD or anything that could compromise your CHE. Attackers usually do not compromise your data by coming through your front door, but rather do it in a methodical, hidden manner as to not alert you. Monitor even the assets that you feel are trivial but support your CHE.
7. The PCI-DSS considers any person, system, or piece of technology that touches cardholder data(CHD) as in scope.
• For example, if your organizationoperatesa contact center that regularly accepts customer payments over the phone, you can descope your IT network infrastructure, agents/customerservice representatives, call recording systems, and other telephony from compliance by using dual-tone multi-frequency (DTMF)masking technologies.
• These technologies allow customers to directly enter their payment carddata into their phone's keypad, replacing DTMF tones with flat ones so they are indecipherable.
• By sending the CHD directly to the payment processor, such solutions keep the dataout of the contact center environment completely.
• As a result, there are far fewer controls required for PCI-DSS compliance, while sensitive data is out of reach from fraudstersand hackers
