GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

International acquiring: opportunities abound, tenacity required


Industry Update

Square pays out $2.8 million in chargebacks

EU disputes MasterCard cross-border fees

Retail gift cards gain

NYPay, Deloitte take on real-time payments

Digging deeper into KYC


Outsmarting cyber predators

The Mobile Buzz: To mobile optimize or not?


The very point of sale: Great idea, but can it scale?

Dale S. Laszig
DSL Direct LLC

EMV and the open floodgates for equipment leasing

James Huber
Global Legal Resources LLP


Street SmartsSM:
Considering a sale of your portfolio - think again

Jeffrey I. Shavitz
Affinity Solutions Inc

Help merchants reduce third-party remote access threats

Gary Glover
Security Metrics

Why your social media marketing is failing

Nancy Drexler
Acquired Marketing

Company Profile

M-S Cash Drawer

Vision Payment Solutions LLC

New Products

No-hassle e-gifting


Secure, simple mobile payment verification

Ping Mobile 2 Credit
Ping Mobile 2 Credit


Take a stayawaycation


Readers Speak

GS Book Notes

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 27, 2015  •  Issue 15:07:02

previous next

Help merchants reduce third-party remote access threats

By Gary Glover

Remote access makes doing business extremely convenient for merchants. Yet with this ease, comes vulnerability. Insecure remote access is the number one attack pathway used by hackers today. Keep reading if you're concerned about your portfolio's security.

With an Internet connection and remote access technology, small business owners and their third parties can easily access the business network from anywhere. However, insecure remote access gives hackers a pathway to compromise organization networks and access credit card data.

Remember Target Corp.'s massive data compromise in 2013? That incident reportedly began when a hacker accessed one of Target's systems via a remote access account belonging to an HVAC company. Thus, hackers gained a foothold on an internal system and then leapfrogged to other systems inside the retailer's network. This resulted in the theft of 40 million consumers' credit and debit card data and affected over 70 million people.

How do hackers do it?

Many businesses open their networks to vendors for a streamlined process, better service and improved support. Few implement security policies and procedures governing third-party access. In the majority of recent hacking cases, specific businesses weren't necessarily targeted; the hackers likely scanned the Internet for vulnerable remote access systems and then attempted to compromise them.

If not properly secured, remote access allows attackers to bypass firewalls and most other system security measures and remotely access the POS or other systems in the payment environment. It's simply that easy for hackers, especially because while rules tend to be in place for employees using remote access, the rules aren't always applied to external parties.

Merchant recommendations

Your merchants are using remote access technologies. It's up to you to ensure they are educated to manage this tool securely. Here are five best practices you can recommend to your merchants to encourage remote access security:

  1. Limit those who can access the system remotely. Only provide remote access to those whose jobs require it. Don't share remote access credentials, and ensure everyone has a unique username and password.
  2. Don't use default remote access passwords. Many remote access systems come pre-installed with a default password easily found online. Not changing a default remote access password just makes a hacker's job easier.
  3. Require two-factor authentication. Using a single factor (a password) makes it easy for attackers to gain access. A two-factor authentication process greatly reduces the risk of a successful attack. (Note: user IDs are not considered a factor of authentication.)
  4. Keep firewalls up to date. This will help ensure inbound rules provide adequate protection.
  5. Train employees. Periodically review data security practices to ensure employees protect sensitive data.
Remote access is here to stay. Security-wise, if merchants wish to continue to use remote access and remain Payment Card Industry Data Security Standard compliant, they have some work to do.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security Assessment at SecurityMetrics. Gary has worked in the IT security industry as a QSA for over 10 years. For more information about SecurityMetrics, visit

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.