Partner Article

Protecting your customer data

RAZA Sharif of Newcastle-based internet security firm Issertiv explains how your business can better protect its customer credit card data and avoid the possibility of a data loss or data breach.

Rank Your Risk Level: Four Simple Questions

1 Do you accept payment cards through a computer-based payment?

2 Do you have multiple systems connected to your payment application, and do any of them have Internet access?

3 Do you use wireless Internet access at your business?

4 Does your business have an e-commerce component?

Gauge your risk for data fraud

Your risk exposure depends on the way you operate your business. If you answered “yes” to any of the questions above, it’s time to get smart about your company’s data security practices.

However, even if you answered “no” to all of these questions, your business may still be vulnerable to data thieves. Issertiv has developed a list of four key vulnerabilities that small businesses should be aware of to help minimize the risks of being exploited by fraudsters:

1. Storing sensitive card data

The chip on the front and the magnetic stripe on the back of payment cards contains two tracks of encoded payment data, also called “track data,” that could be used by thieves to create counterfeit cards and commit other forms of fraud. This sensitive cardholder data from the magnetic stripe is received by point-of-sale (POS) systems when you ‘swipe’ or ‘dip’ a payment card. POS systems often store this sensitive data after the card has been authorised, without the business owner’s knowledge. This storage is against Visa acceptance rules, and will make your systems attractive to attack by fraudsters.

Apply these simple steps today

In addition to complying with the card companies’ data security requirements, small-business owners should take precautions to safeguard all types of sensitive business and customer information: The below steps will help you maintain a secure operating environment to protect your customers credit card data.

STEP 1: Eliminate prohibited data

Check your point of sale (POS) systems. Small businesses that use commercially available POS systems or payment software should contact their payment software vendors to determine whether the systems they use store prohibited data after transaction authorisation.

Ask the vendor providing you with your POS or payment software (it maybe a reseller/integrator) to confirm that your software version does not store magnetic stripe data, CVV2, PINs or encrypted PIN blocks. This software is often also referred to as ‘Payment Application’. If it does, these data elements must be removed immediately, including any historical data that has been stored in an associated database or log files.

Ask your payment software vendor to share a list of files written by the application and a summary of the contents of those files to verify prohibited data is not stored.

Confirm with your payment processor that all cardholder data storage is necessary and appropriate for the transaction type.

Verify that your POS software version is not allowing storage of sensitive data after authorisation. Also verify that it provides strong password protection. Payment applications certified as compliant with the payment application data security standards are recognised by the industry as providing this level of security.

Minimise data storage - it is permissible to store the following data from the magnetic stripe where required:

• cardholder’s name

• primary account number

• expiration date.

These values, which should only be stored if needed, must be protected in accordance with the PCI DSS. Small businesses can limit the damage from a compromise by not storing magnetic stripe data, CVV2 and PIN blocks at all. If it is truly needed, small businesses can decrease their risk by keeping the areas where cardholder data is stored to an absolute minimum, storing for as little time as possible, and keeping close controls over who has access to the data. But the best advice is - If you don’t need it, don’t keep or store it!

STEP 2: Protect stored data

Encrypt or Truncate Your Data. Small businesses should evaluate whether they must retain full account numbers after a transaction has been authorised. In many cases, you may be able to fulfill business requirements on some or all of your systems by retaining only a truncated portion of the account number, such as the first six and last four digits. Small businesses that must electronically store full account numbers for business needs must render the account number unreadable through other means, such as encryption. Additionally, account numbers transmitted over public networks, such as the Internet or wireless, must be encrypted during transmission using technology such as SSL, set at an appropriately secure level.

STEP 3: Secure the environment

Replace missing or outdated security patches. When it comes to updating security patches, speed is of the essence. Many vendors now offer automated alert services that provide prompt notification to their clients. Some vendors also provide automated patching mechanisms. If a patch cannot be applied immediately, other controls to reduce this risk should be implemented, and monitoring of all affected systems should be increased. Small businesses should establish software upgrade policies and procedures to ensure patches are reviewed and installed in a timely manner Make sure that someone in your organisation is aware, and responsible, for this activity.

Check your settings and passwords - your hardware and software products are likely to come packaged from vendors with preset passwords and settings. Any default or blank settings and passwords should be changed before the product is deployed. Passwords should comply with current industry standards for storing passwords. Any default settings should be modified immediately. Hackers make it their business to know all default passwords, and so they offer no defence at all.

Prevent employee fraud scams. Your business policies should be designed to prevent fraud scams involving collusive employees. As part of this, physical access to information, whether it resides in a computer or a file drawer, should be restricted. Only those employees with a business need should be permitted access. Whenever possible, account numbers should be encrypted during the processing of a transaction. Electronic equipment—such as personal laptop computers—that can be used to steal or replicate account information should not be allowed in the workplace without your previous consent, and if allowed, should be controlled closely to prevent company-owned payment data from being stolen or otherwise tampered with.

This was posted in Bdaily's Members' News section by Ruth Mitchell .