If I know anything about franchisees, it's that they have lists for everything, from daily kitchen cleaning practices to employee entrance procedures. In the spirit of checklists, I've specified seven basic payment security elements on which to build an in-house vulnerability management program and avoid fines that may result from Payment Card Industry (PCI) Data Security Standard (DSS) non-compliance.
1) Create employee policies for handling card data. Business security often fails from a lack of security policies that regulate employee interaction with sensitive data. Remember Sony's embarrassing compromise in 2011 that put 25 million users and 20,000 credit card numbers at risk? The right employee policy, in combination with some simple security fundamentals, would have easily prevented worldwide humiliation.
A good example of a card handling policy includes: "Credit card numbers and cardholder data may not be emailed, faxed, or sent via any electronic messaging technology such as instant message or chat."
Remember to require policy documentation signatures annually, and consistently enforce the policy. Many PCI vendors offer general security templates you can use to create a customized policy for employee training and secure payment processing.
2) Update software. Computer applications regularly release updates to patch security holes in software. Security is the number-one reason to continue updating to the latest version of any system software. You must regularly install updates on Internet browsers, firewalls, application software, POS terminals, and operating systems to fix holes hackers could squeeze through.
3) Use an ASV with up-to-date scanning engines. Vulnerability scans are automated, affordable, high-level tests that identify exploitable network weaknesses and are conducted by a company with PCI Approved Scanning Vendor (ASV) accreditation. However, not all ASVs are created equal. Shop around for an ASV who regularly updates their scanning engines and tests for at least 50,000 vulnerabilities. Criminals search for new weaknesses every day, and if scanning engines aren't updated regularly, criminals may be able to exploit your system.
4) Regular vulnerability remediation. Vulnerability scanning isn't just about locating and reporting vulnerabilities; it's also about establishing a repeatable and reliable process for assessing their remediation month after month. After a scan completes, it is crucial to fix any located vulnerabilities on a prioritized basis. SecurityMetrics' vulnerability support team recommends prioritizing based on risk and effort required. Continue running scans until the scan returns clean. Your PCI vendor or IT director can assist further in your vulnerability remediation. As an added bonus, vulnerability management is a concrete way to prove the return on investment for mitigating business risk and managing security compliance.
5) Change default passwords. I am constantly surprised how common this problem is in both small and enterprise businesses. Most technology systems come preset with default passwords such as "admin" or "1234," and because all systems use the same password, it's easy for a cyber criminal to gain access. When new systems are implemented, you must immediately change default passwords, and require each administrator to use a unique password.
In addition, it's important to use strong passwords. If you have a difficult time remembering passwords, I suggest a "pass phrase." They are extremely difficult to crack, but very easy to remember. Think of a memorable phrase, and then take the first letter from each word to create a new password. Here is an example: "My dog Kibbles has 16 teeth & loves 2 eat Steak" becomes "MdKh16t&l2eS." This complex, 12-character password is complete with all the aspects of a secure password: letters, numbers, capitalization, and special characters.
6) Encourage your IT team to become QIR certified. One of the most common outcries we hear from breached businesses is, "But our IT guys said we were secure!" You depend on service providers to install, configure, and maintain your applications, but how can you be sure they are implementing the technology with correct security principles in place? The PCI Council's Qualified Integrators and Resellers (QIR) program trains third parties to implement best practices when maintaining payment systems. Encourage your third-party technology provider to become QIR-certified, or you may have to find an IT company that makes security a priority.
7) Remove stored, unencrypted card data. The scariest trend we see in our work is that 71 percent of businesses store unencrypted payment card data, which is 100 percent against PCI security standards. To check if your business is among the 71 percent, download a card data discovery tool such as SecurityMetrics PANscan. A card data discovery tool checks your network for anything that may resemble card information so you can securely delete, identify, and patch its source. Using a tool like this will greatly reduce your effort and decrease the chance of card data theft.
Joe Durfey is a manager of strategic accounts at SecurityMetrics and can be reached at firstname.lastname@example.org or 801-995-6387.
The only publication dedicated exclusively to the hottest topic in franchising - Multi-Unit and Multi-Brand Franchisees.
A unique event because it is highly influenced by its advisory board, consisting of the very best multi-unit franchisees. The board works diligently to ensure that the conference delivers on its promise of being the best platform for franchisees to learn how to grow their businesses.