PCI pitfalls for retailers
Businesses that process, transmit or store cardholder data must implement security controls as defined by the latest PCI DSS standard.
The following are the nine common PCI DSS compliance pitfalls that many retailers fall into and tips to avoid them.
1. Faulty firewall installation or configuration
Many DIY projects are easy; properly configuring a firewall is not one of them. According to WatchGuard research, a majority of small business security breaches are the result of improperly configured firewalls.
Best practice: Use security certified technicians or trained resellers to ensure firewall configurations are proper and up to date; regularly audit firewall configurations as people and IT resources constantly change.
2. Relying on vendor supplied defaults for system passwords
Not only is it critical to change vendor supplied default passwords, be sure to use something other than “password” as a password. According to a recently published research report, the most common passwords are: 1) password, 2) 123456, 3) 12345678, 4) qwerty, 5) abc123, 6) monkey, 7) 1234567, 8) letmein, 9) trustno1, and 10) dragon.
Best practice: Change vendor settings and utilize strong passwords.
3. Failing to utilize IPS to protect stored cardholder data
There are multiple ways to help protect stored cardholder data. One key technology that is often overlooked is IPS (intrusion prevention systems). IPS is to hackers as anti-virus is to viruses. IPS keeps hackers out and helps cardholder data stay safe.
Best practice: Make sure intrusion prevention systems (IPS) are up and running.
4. Not encrypting transmission of cardholder data across open, public networks
Encryption is a key component to PCI DSS compliance. A common problem occurs in the transmission of credit card data, which is often done in unencrypted email.
Best practice: Use encryption everywhere, and especially in email systems where any type of sensitive information may be transmitted.
5. Failing to use and regularly update anti-virus software or programs
Unlike desktop/endpoint anti-virus (AV), gateway anti-virus stops threats right at the entry point of a network. Using gateway AV adds an additional layer of defense at the primary point of attack, and because it functions at the gateway, users see no degradation of performance on their local computer.
Best practice: Use gateway AV in addition to endpoint AV for maximum defense in depth.
6. Not maintaining secure systems and applications
Many businesses do a good job at maintaining secure systems, however what is often overlooked in today’s social media business world is application security. Most firewalls are incapable of distinguishing a web application from a website. Because of this, crafty cyber-crooks create web applications as a way to sneak past the firewall and steal cardholder data.
Best practice: To gain control over web applications, businesses utilize the latest generation of UTMs and firewalls that include application control.
7. Providing access to cardholder data to those who do not need to know
About 80 percent of security violations happen from within an organization. In order to reduce that figure, businesses should use the “least privilege rule,” which parallels the same concept of “need to know.” Users should be granted the minimum necessary permissions and privileges that are required for them to accomplish their jobs. When employees have access to data that they should not, bad things often result.
Best practice: Use RBAC (role based access controls), separation of duties and other forms of “least privilege” to make sure data is restricted to those who absolutely must have access to it.
8. Forgetting to track and monitor all access to network resources and cardholder data
Unfortunately, many businesses take a “fire and forget” approach to network security; once the firewall is set, they forget to check the reports. Many security breaches can me mitigated early on simply by checking reports and logs on a regular basis.
Best practice: Establish a routine of checking logs and reports to spot trouble before it blossoms into headline security news.
9. Not having an information security policy
In order to meet PCI compliance, businesses must create an information security policy that is up to date, and that addresses the security requirements as proscribed by PCI DSS. This should also include operational security, system usage, security management and other related policies.
Best practice: Get IT, HR and other business stakeholders to regularly review information security policies.