The article content is provided with our sponsor, Bank of America Merchant Services.
The cost of data breaches is high.
Recently, it has been difficult to avoid news of major data breaches occurring among large, well-known businesses. In total, businesses lose an estimated $150 billion annually due to data and identity theft.¹ Today, only 25% of IT professionals feel that their organizations are highly resistant to cyberattacks.² Small businesses may not feel they are vulnerable – but they are at just as much risk as large merchants.
The best way to prevent a cybersecurity attack is to educate yourself and your employees about what can be done now to help protect payment data from compromise.
Any size data breach may have negative security and reputational implications. Following a data breach, 31% of customers said they terminated their relationship with the business.³
Help is here.
All card-accepting merchants must comply with the applicable PCI DSS requirements to help protect cardholder account information from data compromise. However, PCI DSS doesn’t protect you from all possible security threats.
Be sure that your associates exercise the best practices below, in addition to meeting PCI DSS requirements. These 10 guidelines can help minimize the chance of a data breach. And remember, skipping just one could put your organization at risk.
1. Manage passwords carefully
Use strong password management software so only authorized personnel have access to your network and systems. Be sure to include procedures for removing access to individuals that no longer require access to your systems.
2. Change default passwords
Before using a new point-of-sale (POS) device, be sure to change the default username and password. Criminals are able to easily find a list of default passwords for each provider/manufacturer. Incorporate uppercase letters, numbers and symbols as part of your password. Also remember to avoid trivial and common passwords that would be easy to guess. Other security parameters should be treated similarly.
3. Use two-factor authentication
Use two-factor authentication in every place someone has remote access to your environment (including all service providers). Two-factor authentication uses something the user knows (i.e., username, password) and something the user has (i.e., soft or hard token). Two-factor authentication should be incorporated throughout your organization’s systems, and not just your POS environment.
4. Configure firewalls properly
Implement strict inbound and outbound filtering on the firewall. The firewall configuration will limit access into and out of your systems to individuals or IP addresses that have to do business with you. Setting a deny/deny rule on the firewall is the most secure method. By default, many firewalls are set to allow since it can be more difficult to set up and maintain a deny/deny setup.
5. No browsing on POS systems
Do not allow associates to browse the Internet on any POS system. This also applies to any device that connects to the POS environment. An associate could click a malicious link online that downloads malware or viruses.
6. Increase the security of remote access
Secure remote access applications and enable two-factor authentication as required by the PCI DSS. Remote access to systems should be available only on demand, and not turned on at all times. If your POS vendor requires remote access to upgrade your systems, ask when they are going to perform the upgrade so your company can make sure to allow remote access to a known IP address for just that timeframe.
7. Keep anti-virus software updated
In addition to using anti-virus software, ensure that the anti-virus software on your POS systems is up to date with latest anti-virus signature files. Signature files are crucial; they enable anti-virus software to detect and remove new malware or viruses.
8. Keep POS software updated
Update POS software applications using the latest versions and software application patches. POS systems, just like computers, are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.
9. Prevent phishing
Do not allow associates to click on links in emails. The links could download harmful malware or viruses to a computer. Also ensure that your associates know who to alert at your organization when suspicious emails are received.
10. Enable encryption and tokenization
Consider implementing point-to-point or end-to-end encryption, as well as using a tokenization solution. Encryption can protect cardholder data from the point of entry and as it’s in transit. Tokenization replaces cardholder data with a random-generated value, or “token.” This token can be stored on your system with less worry, since the data doesn’t show the exact cardholder data and won’t be useful to criminals.
Use encryption and tokenization to replace cardholder data so it’s not stored anywhere in your systems, just in case criminals do access your system to steal information. Using both security precautions may also reduce your PCI DSS scope.
¹McAfee 2013 Study: “The Economic Impact of Cybercrime and Cyber Espionage”. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf
²3 out of 4 organizations admit they aren’t ‘resilient’ to cyberattacks (September 2015). http://fortune.com/2015/09/18/schneier-cyber-resilience
³First Data, Small Businesses: The Cost of a Data Breach Is Higher Than You Think, 2015. https://www.firstdata.com/downloads/thought-leadership/Small_Businesses_Cost_of_a_Data_Breach_Article.pdf
To learn more about data breaches and how it affects your business, visit http://merch.bankofamerica.com or contact a Bank of America Merchant Services business consultant.