Putting Security First – Tips for Merchants to Protect Data

Markiyan Malko |

May 29, 2013

Tips for Merchants to Protect Data

Regardless of the size of your business, you are susceptible to fraud and data breaches and responsible to protect your customers’ data while complying with PCI DSS (PCI Council Data Security Standards). While many business owners feel that their business is too small to be breached, according to Visa's estimates, some 95 percent of credit card data breaches occur with small business customers. And, in 2012, the retail industry made up 45 percent of data breach investigations - the highest percentage in history and a 15 percent increase over 2011.

In the Fall of 2012, Merchant Warehouse partnered with ControlScan, the industry’s leading provider of PCI compliance and security solutions for small merchants and the businesses that serve them, on a merchant survey. Nearly half (50 percent) of those surveyed were not clear on the specifics around PCI DSS and more than three-quarters (79 percent) felt that their company was at little or no risk for data compromise. Alarming statistics considering that PCI DSS compliance is required and knowing that data breaches occur regardless of business size.

There are a few very basic, yet critical actions you can take as a business owner to protect your business and your customers’ data – tightening up security while paving your way to PCI DSS compliance.

Implement Employee Standards and Security Awareness Training

Did you know that the most commonly used password is Password? Regardless of the size of your business or your industry, it’s critical that you implement policies around passwords that a.) Prevent sharing, b.) Eliminate default passwords, and c.) Require periodic password changes. Ensure that you or your IT group establishes role based access controls (i.e. Managers that require more access versus part-time employees that only need access to certain functional areas) and require complex passwords as well (i.e. letters, numbers and a symbol with minimum length).

It is also important that you establish policies around the handling of sensitive credit card data like regular shredding practices, not storing data that is not needed etc. Once those policies are established awareness training must be deployed across your entire employee base and conducted regularly to support any updates as well as educate new team members.

Secure Your Wi-Fi

While many businesses today provide complimentary Wi-Fi access for customers and patrons, it’s imperative that public Wi-Fi be segmented from internal systems. This will ensure that, even in the event of a compromise to the Wi-Fi, data is protected. And, you will want to make sure that you’re using compliant encryption methods, with no WEP. The same password policies as mentioned earlier should be applied with Wi-Fi as well.

Use PA-DSS Validated Software and Hardware

PA-DSS validated software uses secure transaction methods and encrypted storage to protect sensitive data. While not a requirement, selecting technologies that have tokenization reduces your scope for compliance and offers enhanced security. Encrypted card readers also enhance security, although they are not technically required.

Don’t Store Cardholder Data

Ensure that you’re using systems that don’t store any sensitive cardholder data. This will significantly reduce your risk in the event of a ‘smash and grab’ as even if your system is compromised, the hackers can only steal new data in transit. By not storing sensitive cardholder data on your point-of-sale (POS) system you significantly reduce the amount of work required for your PCI self-assessment questionnaire, bringing the number of questions required from 288 to 80. And, the questions eliminated are the more technical ‘tough’ questions.

Restrict Remote Access

Typically used for software and system support, remote access is another point of vulnerability – if not managed correctly. For remote access it’s important to a.) Require two factor authentication, b.) Provide role-based access, c.) Eliminate default passwords, d.) Limit access to required systems only and not entire networks, and e.) Activate password expirations and system inactivity or session lengths ‘timeouts’. If possible, it’s also best practice to use secure VPN for access and ensure that the action is initiated from the merchant outbound and not vice versa.

Criminal activity in POS and payment processing continues to rise and vulnerability is not based on geography, size or type of business. Any business that stores data is at risk so it’s becoming even more imperative for businesses of any size to employ basic security measures today to insulate themselves from unnecessary risk and achieve and maintain PCI DSS compliance.