Menu

How to Ensure Payment Data Security : Part 2

The Four Rings of Payment Data Security

 

Payment data breaches are on the rise, and criminals are going after point-of-sale systems and cardholder data, because it’s the lowest-hanging fruit and the easiest to access and monetize.  As we discussed during Part 1 of this series, there are process and procedures retailers can enact now to protect themselves. There are no silver bullets, so companies must take a holistic approach to security.

 

Ken Harris, general manager of global payments at NCR, calls his method the Four Rings of Data Payment Security (pictured). Retailers should always begin with the outer ring and work their way inside.

 

Physical Security: Cyber-attacks are often thought to occur only in the virtual realm, but the threat has a very real and physical risk, should hackers gain access to your system through unsecured devices such as an unlocked POS terminal with an exposed USB port.

 

Retailers should physically secure all of their technology, including the point-of-sale (POS), PIN pads, front-office servers and back office servers. This is the first line of defense. Some prevention tips:

 

  • Develop a robust incident response team to proactively detect threats and act quickly, as mentioned in Part 1 of this blog series

  • Provide digital access cards for each server room

  • Put all front-office and back-office PCs and servers in locked cages

  • Install closed-circuit TVs (CCTVs) system for all POS lanes and server rooms
     

Logical Security—Controlling network access is the single most important action retailers can take to prevent security breaches. This includes vigilant monitoring of firewalls, remote access and login credentials. Governing inbound and outbound data flow is imperative, and could prevent more than 95 percent of all system compromises. Some tips:

 

  • Make sure you have tight controls on who is monitoring network access logs

  • Also, monitor the IP addresses that your POS systems are calling. If they’re calling someone you don’t trust, then you have a problem

  • Lock down your firewall really tight, and only allow people and places that you trust and know

  • Remote access systems have shown vulnerabilities in recent attacks, so routinely check their access logs

  • Change passwords often, and don’t use common logon credentials. Two-factor authentication is recommended, especially for high-privileged users

  • Implement least privilege on users and applications
     

Software Security – Retailers then must focus on hardening the software on their front-office, back-office and POS systems. PCI PA-DSS is most effective in this security ring, offering protection against data tampering, DLL injection and memory scraping. Some tips:
 

  • Front-office, back-office and POS users should use the minimum privileges required to perform their jobs

  • Always use the latest operating system and anti-virus patches and updates

  • Block access to auto-start, file system explorer, run/command line, registry, start menu, task manager, restart/shutdown and right-click functions on each machine

  • Deploy an interface to your help desk, which should be the only legitimate interface allowed to access the file system, command line, task manager and registry
     

Data Security – The final step is for retailers to secure the data in their stores and at their headquarters. This innermost ring of protection should guard against unauthorized configuration data changes, as well as unnecessary exposure of cardholder data inside your systems’ RAM. Some prevention tips:

 

  • Lock down your configuration data

  • Consistently track registry data changes

  • Restore approved version if unapproved change is discovered
     

Remember, payment data security is of upmost importance in today’s era of evolving threats. If they can’t get into your system, then they can’t get your data. Be vigilant and proactive to stay out of the headlines!

 

If you’d like additional insight and analysis into payment data security, contact Ken Harris at Kenneth.harris@ncr.com.