GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Operation Choke Point draws fire from Congress, industry

News

Industry Update

Acquisition fuels cross-border e-commerce

Aite report dispels card acceptance myths

Isis mobile wallet moves to rebrand

Features

On the pulse of biometric security

Views

EMV alone is not enough, retailers push for tokenization

Patti Murphy
ProScribes Inc.

The makings of wine, checks, ACH

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Is the CPP D.O.A.?

Tom Waters and Ben Abel
Bank Associates Merchant Services

Top five security aspects to require of your portfolio

Chris Taylor
SecurityMetrics

Tune up your tone, MLSs

Jeff Fortney
Clearent LLC

Understanding the POS customer

Sean Berg
Harbortouch

Company Profile

Finical Inc.

New Products

Square deal for ISOs

Square Deal Pro
API Software Inc.

Recurring payments, no problem

ProPay Ensure Bill
ProPay Inc.

Inspiration

Staying focused in a complex business

Departments

Readers Speak

Letter From the Editors

GS Book Notes

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

August 11, 2014  •  Issue 14:08:01

previous next

Top five security aspects to require of your portfolio

By Chris Taylor

Many business owners struggle to tackle the behemoth that is data security. Merchants are in business to sell tires, style hair and bake wedding cakes – not to become information technology (IT) experts. However, with the various compliance and security mandates required of small businesses, sometimes security feels like a full-time job.

You know the 80/20 rule, which states 80 percent of revenue comes from 20 percent of the customers? Well, data security has something like a 95/5 rule – 95 percent of compromises arise from 5 percent of the security vulnerabilities. So when the small-business owners who are big on motivation but small on resources ask how they can get the most bang for their security buck, here are the top five areas we tell them to focus on.

1. Firewalls

For many business owners, firewall configuration might as well be nuclear physics or brain surgery. Like I said before, merchants start businesses to make money, not to become IT experts. However, in this day and age, a working understanding of IT security is required for those who accept and process payments to adequately protect sensitive payment card data. That means being firewall-proficient.

Firewalls act like stoplights: they can let traffic straight into your network (green light), conditionally let traffic into your network (yellow light) or deny network access altogether (red light). A collection of rules allows your firewall to determine who gets in and who gets blocked. Because each business's card-processing environment is unique, a business should never rely on the default rules that come with a firewall.

Rules must be carefully managed and reviewed regularly (every six months is recommended). It is a Payment Card Industry Data Security Standard (PCI DSS) requirement and a good security practice to maintain a backup of your firewall rules. That way, if a recent change to your firewall configuration has a negative effect, it will be easy to quickly revert to the previous rule set.

2. System updates

You know those notifications that keep popping up, saying a new update is available? It turns out those are actually a big deal.

Technology companies constantly update programs to fix bugs, enhance features and even protect against current threats. These updates – while critically important – are often overlooked by users. Be sure to stay on top of the security updates for Windows, anti-virus solutions and any software you are running like Acrobat Reader or Java.

Ultimately, maintaining an up-to-date operating system not only helps your computer run smoothly, but it also protects against viruses, bugs and other electronic threats.

3. Properly configured payment application

Improperly configured payment applications can lead to a number of significant issues for business owners. A common misconfiguration would be putting a system that stores cardholder data in a network location that has access to the Internet – or including your POS system in the same virtual local area network as other office computers.

Misconfiguration can lead to unintentional storage of customer payment card data, which is against the PCI DSS. After systems are configured properly, card data discovery tools are available that can be used to search computer systems for accidentally stored card data.

Improperly configured payment applications can quickly become a nightmare for business owners and a dream for hackers. If you aren't tech-savvy, it may be in your best interest to hire an IT professional to help you get set up.

Another key component of payment application security is proper network segmentation. An isolated payment network, sectioned off by a firewall, is essential to payment data security. Be sure to limit Internet access on the payment network as well – remove browsers and email clients if they aren't imperative to business operations.

4. Strong passwords

123456. monkey. iloveyou. admin. If I just cracked your password, stop reading right now and change it immediately.

Poor password management continues to be a major source of compromise. Convenience often supersedes security, and users create passwords that are quick, easy to remember and extremely hackable.

Here are a few tips to ensure proper password protection:

Remember, passwords are like toothbrushes: they aren't to be shared, and you need to change them often.

5. Wireless security

Remember the network segmentation discussion from this article's payment application section? Well, that lesson applies to this section as well.

Just like oil and water don't mix, neither do a POS wireless network and a guest network. To maintain security, segment the POS network away from the rest of your wireless networks.

Passwords are another important aspect of Wi-Fi security. The strongest commonly used wireless encryption is WPA2. WPA and WEP encryption are outdated and easily cracked. Use WPA2, and follow PCI Section 8 password requirements when setting up your Wi-Fi password.

For extra security, don't broadcast your wireless network name (SSID). While this action isn't a foolproof method for Wi-Fi security, it'll help you avoid being conspicuous – especially to those looking for an easy target.

Prioritization is key

In a perfect world, merchants would have a comprehensive and devoted approach to data security. However, in the imperfect world we live in, sometimes a targeted (or at least prioritized) approach is necessary. By focusing on these five risk areas first, merchants can get the biggest security bang for their buck and protect against a majority of the most common security attacks today.

Chris Taylor is the Channel Marketing Manager at SecurityMetrics, and oversees all partner and channel marketing programs. He can be reached at ctaylor@securitymetrics.com. For more information about SecurityMetrics, visit www.securitymetrics.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services