The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations. This paper will discuss those deficiencies and provide some general guidance to overcome them. Examples from Visa, MasterCard, American Express, Discover, and JCB.
Whitepaper January 2010
Five PCI Securit y Deficiencies
of Retail Merchants and Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations
by Brad Cyprus, SSCP - Senior Security Architect, Vendor Safe Technologies
Five PCI Security Deficiencies
of Retail Merchants and Restaurants The five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB, joined forces in 2004 to create the Payment Card Industry Data Security Standard (PCI). Its sole purpose is to help merchants build a security program that meets the requirements expected by the card brands. Since then, businesses have been scrambling to make their systems PCI compliant. Many have made great strides in making credit card transactions more secure. However, five common shortcomings often throw the PCI compliance efforts of brick-and-mortar restaurants and retailers off track. This paper will discuss those deficiencies and provide some general guidance to overcome them. Insecure Remote Access
1 Without Two Factor Authentication
Remote access is the process by which someone who is not physically located at a computer uses electronic means to make a connection to that computer. A common example would be a restaurant chain's regional manager in a hotel room accessing reporting data online from a server in another physical location. In most cases, the remote access either connects to the data, as in a remote login to a server, or it initiates a session which in essence emulates direct access to the remote computer's keyboard and mouse. Inevitably, when a credit card breach story makes the news, somewhere in the details, unauthorized remote access was part of the issue. The problem for retailers is that remote access is usually necessary from both an operational perspective and for efficient system support. Modern Point of Sale (POS) software has reporting capability that is useful to operators in measuring the performance of a given location. Accessing those reports off site increases the speed at which the data is obtained, and in the case of a multi-unit franchise, a single person can remotely analyze the business metrics for the entire organization without ever leaving the home or corporate office. Furthermore, software support and training can happen as needed without sending technicians onsite. Support staff can remotely take over a computer and perform their duties without the delay or expenses associated with travel. Savvy businesses rely on this technology to improve their operations.
Vendor Safe Technologies www.vendorsafe.com Whitepaper: Five PCI Deficiencies of Retail Merchants and Restaurants The problem associated with remote access is that electronic data thieves make their living by penetrating networks that have this technology enabled. Businesses are moving their electronic communications to the Internet, and that includes remote connectivity. Hackers have numerous techniques to circumvent security measures. If they can communicate directly to a POS server that stores credit card data, it is only a matter of time before they will be able to breach the location and steal card information. Recognizing these vulnerabilities, PCI requirements include several measures for securing remote communication. Requirement 1.2 and 1.3 of the PCI standard prohibit untrusted networks or unnecessary communication to the cardholder environment. This is to limit the external connections that are allowed into an environment that accepts credit cards. In addition, requirement 8.3 of the standard demands that two-factor authentication is implemented for all remote access to the POS network. Meeting PCI standards can be daunting for In short, two-factor authentication can merchants with limited technical capabilities, be thought of as something a user but it is critical for running a secure business.
knows and something the user has that will conclusively validate the identity of the person logging into the network. Usually, the part that a user knows, the first factor, is a username and password. Without the second factor, if that information was ever compromised, someone else could use those credentials to log in. The second factor guarantees that someone accessing the network is actually who t... [download for more]
