Is Your Data Secure?: One Misstep Can Hand a Hacker a Master Key to Your Network

In case you haven't heard, franchises hold a place of honor in the world of data thieves. In fact, chains are the favorite target of hackers trying to steal payment card information. The most recent figures from Visa indicate that up to 97 percent of data compromises are suffered by smaller merchants and "specifically franchisees"--particularly those in the restaurant, clothing, sporting goods, and hotel industries.

The reason so many attacks are mounted against franchise operations is simple: a hacker who can penetrate one franchisee's computer systems can frequently infiltrate the entire network with little extra effort. Having this kind of "master key" to a larger enterprise is far more efficient--and lucrative--than trying to attack scores of smaller companies that have fewer cards to pilfer, as well as disparate security systems to break and enter.

Franchise systems at risk

A 2008 security breach at a major hotel chain illustrates the payoff for a franchise system breach. In that case, after hackers penetrated one hotel's computer system, they were able to access information from more than three dozen other properties through the chain's computer network. Not only were guest names, card numbers, and expiration dates theirs for the taking, but so was the magnetic stripe data that made the information even more valuable on the black market because it provided the ability to replicate the physical credit card for each stolen data set.

This franchisee-first attack is a common scenario. Frequently, the first successful breach occurs at a franchise location and then spreads to the corporate network. Visa is so concerned about the number of attacks directed at franchises that it has created special rules to address the franchise environment. Recently, for example, Visa expanded its security requirements to include the integrators and value-added resellers (VARs) who supply payment-processing hardware and related services to franchisors and franchisees.

For these corporate franchise servicers, as well as franchisors and their franchisees, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not only the best defense against card fraud, it is also mandatory. Adhering to PCI controls and processes will help plug the security holes that allow criminals to pocket your customers' card data--or even your own.

Cracking the code

For a determined hacker, there are multiple roads to successfully bypassing a merchant's perimeter security. Attacks can be launched against the organization's computer network, point-of-sale (POS) software, or the POS terminals themselves. Within each of these categories, data thieves can exploit a variety of security weaknesses.

In the first six months of 2010, for example, four attacks out of 10 involved unauthorized users gaining remote access to computer systems because of issues such as lack of adequate password protection. In a franchise business, that kind of problem typically is related to the remote management applications used to disseminate business downloads, conduct sales polls, and/or manage inventory within a particular franchise community.

Nonexistent or improperly configured firewalls (the equivalent of leaving a store physically unlocked after business hours) and unencrypted credit card data stored by the organization are other danger zones. So are oversights such as a failure to segregate day-to-day business and Internet traffic from payment data (leaving the entire network open to an attacker once they're in the door, and a failure to replace the vendor-supplied default passwords that come with POS systems and other network devices with complex, individualized passwords.

The PCI cure

The PCI DSS prescribes detailed safeguards in each of these areas and many more, providing a road map for keeping card data off-limits to interlopers. The rules require merchants to follow procedures such as:

• • Configuring firewalls to deny all traffic from untrusted networks and hosts, blocking a key entry point that cyber-criminals use to access payment systems.
• • Using two means of identification to authenticate remote users to the network--including a device such as a token, smart card, or biometric--to prevent hackers from using a password alone to gain network access.
• • Changing vendor-supplied default settings on firewalls and other network devices to eliminate easily guessed passwords such as "1234" and "admin."
• • Encrypting transmission of cardholder data across public networks, so that any intercepted data cannot be interpreted.
• • Using and regularly updating antivirus software or programs to minimize the risk that malicious software that can extract card data (like keyloggers that record each keystroke) will be installed on servers and other vulnerable systems.

Visa guidance

While full compliance with the PCI DSS list of requirements should be a cornerstone of your compromise prevention strategy, Visa has also recommended a variety of other policies and procedures to thwart data theft--including strategies that are specific to franchises.

For one thing, Visa requires merchants to use third-party payment application software that is compliant with the Payment Application Data Security Standard (PA-DSS) created by the PCI Security Standards Council as a complement to PCI DSS. To meet PA-DSS requirements, payment applications must adhere to a list of protections, including a prohibition against storing full magnetic stripe, PIN, or other sensitive authentication data. (A list of approved POS payment applications is at www.pcisecuritystandards.org/security_standards/vpa/.)

On the franchise front, in June 2010, Visa issued the corporate franchise servicer rules mentioned above to cover card payment processors and other network service providers that previously had escaped PCI DSS oversight. The new rules not only require PCI DSS compliance by the service providers themselves, but also make acquirers responsible for ensuring compliance with these and other regulations. Fulfilling these new mandates presents a number of challenges, including determining the identity of the service providers used by franchisees.

In addition, Visa has advised franchisors to adopt other protective measures, such as amending franchisee contracts to include having a data security policy consistent with PCI DSS, and expanding training programs to incorporate data security and PCI DSS rules.

Help is available

With franchises in the crosshairs of data thieves and the risk that a data breach will lead to regulatory fines as well as reputation damage, it is essential for franchise organizations to be aggressive in ensuring data security. Your PCI vendor can help you sort through the requirements as well as perform an external vulnerability assessment scan that can identify security weaknesses in your systems and procedures that may be exploited by hackers to pilfer customers' cardholder data.

Be sure you're not the next company grabbing headlines for letting customer cardholder data slip through your fingers.

David Ellis is Director of Forensics Investigations for SecurityMetrics, a leading provider of PCI DSS security solutions, based in Orem, Utah. Contact him at info@securitymetrics.com or 801-724-9600.