The Green Sheet Online Edition
August 11, 2014 • Issue 14:08:01
Top five security aspects to require of your portfolio
Many business owners struggle to tackle the behemoth that is data security. Merchants are in business to sell tires, style hair and bake wedding cakes – not to become information technology (IT) experts. However, with the various compliance and security mandates required of small businesses, sometimes security feels like a full-time job.
You know the 80/20 rule, which states 80 percent of revenue comes from 20 percent of the customers? Well, data security has something like a 95/5 rule – 95 percent of compromises arise from 5 percent of the security vulnerabilities. So when the small-business owners who are big on motivation but small on resources ask how they can get the most bang for their security buck, here are the top five areas we tell them to focus on.
For many business owners, firewall configuration might as well be nuclear physics or brain surgery. Like I said before, merchants start businesses to make money, not to become IT experts. However, in this day and age, a working understanding of IT security is required for those who accept and process payments to adequately protect sensitive payment card data. That means being firewall-proficient.
Firewalls act like stoplights: they can let traffic straight into your network (green light), conditionally let traffic into your network (yellow light) or deny network access altogether (red light). A collection of rules allows your firewall to determine who gets in and who gets blocked. Because each business's card-processing environment is unique, a business should never rely on the default rules that come with a firewall.
Rules must be carefully managed and reviewed regularly (every six months is recommended). It is a Payment Card Industry Data Security Standard (PCI DSS) requirement and a good security practice to maintain a backup of your firewall rules. That way, if a recent change to your firewall configuration has a negative effect, it will be easy to quickly revert to the previous rule set.
2. System updates
You know those notifications that keep popping up, saying a new update is available? It turns out those are actually a big deal.
Technology companies constantly update programs to fix bugs, enhance features and even protect against current threats. These updates – while critically important – are often overlooked by users. Be sure to stay on top of the security updates for Windows, anti-virus solutions and any software you are running like Acrobat Reader or Java.
Ultimately, maintaining an up-to-date operating system not only helps your computer run smoothly, but it also protects against viruses, bugs and other electronic threats.
3. Properly configured payment application
Improperly configured payment applications can lead to a number of significant issues for business owners. A common misconfiguration would be putting a system that stores cardholder data in a network location that has access to the Internet – or including your POS system in the same virtual local area network as other office computers.
Misconfiguration can lead to unintentional storage of customer payment card data, which is against the PCI DSS. After systems are configured properly, card data discovery tools are available that can be used to search computer systems for accidentally stored card data.
Improperly configured payment applications can quickly become a nightmare for business owners and a dream for hackers. If you aren't tech-savvy, it may be in your best interest to hire an IT professional to help you get set up.
Another key component of payment application security is proper network segmentation. An isolated payment network, sectioned off by a firewall, is essential to payment data security. Be sure to limit Internet access on the payment network as well – remove browsers and email clients if they aren't imperative to business operations.
4. Strong passwords
123456. monkey. iloveyou. admin. If I just cracked your password, stop reading right now and change it immediately.
Poor password management continues to be a major source of compromise. Convenience often supersedes security, and users create passwords that are quick, easy to remember and extremely hackable.
Here are a few tips to ensure proper password protection:
- Passwords are to be created, not given. Never rely on a default system password. Everyone who has ever set up a Windows system or a wireless router knows the default passwords provided by the vendor. If you don't change them, you're the world's oyster.
- It's not a secret if everyone knows it. Ensure that each system user has a unique login and password.
- Don't let them go stale. Change your passwords at least every three months. Be sure to use new password combinations and not just switch back-and-forth between two (you know who you are).
- Make sure everyone knows the rules. Maintain strict password policies and periodically share them with your staff. This ensures employees are aware and practicing safe password practices.
Remember, passwords are like toothbrushes: they aren't to be shared, and you need to change them often.
5. Wireless security
Remember the network segmentation discussion from this article's payment application section? Well, that lesson applies to this section as well.
Just like oil and water don't mix, neither do a POS wireless network and a guest network. To maintain security, segment the POS network away from the rest of your wireless networks.
Passwords are another important aspect of Wi-Fi security. The strongest commonly used wireless encryption is WPA2. WPA and WEP encryption are outdated and easily cracked. Use WPA2, and follow PCI Section 8 password requirements when setting up your Wi-Fi password.
For extra security, don't broadcast your wireless network name (SSID). While this action isn't a foolproof method for Wi-Fi security, it'll help you avoid being conspicuous – especially to those looking for an easy target.
Prioritization is key
In a perfect world, merchants would have a comprehensive and devoted approach to data security. However, in the imperfect world we live in, sometimes a targeted (or at least prioritized) approach is necessary. By focusing on these five risk areas first, merchants can get the biggest security bang for their buck and protect against a majority of the most common security attacks today.
Chris Taylor is the Channel Marketing Manager at SecurityMetrics, and oversees all partner and channel marketing programs. He can be reached at firstname.lastname@example.org. For more information about SecurityMetrics, visit www.securitymetrics.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.