The Four Rings of Payment Data Security
Payment data breaches are on the rise, and criminals are going after point-of-sale systems and cardholder data, because it’s the lowest-hanging fruit and the easiest to access and monetize. As we discussed during Part 1 of this series, there are process and procedures retailers can enact now to protect themselves. There are no silver bullets, so companies must take a holistic approach to security.
Ken Harris, general manager of global payments at NCR, calls his method the Four Rings of Data Payment Security (pictured). Retailers should always begin with the outer ring and work their way inside.
Physical Security: Cyber-attacks are often thought to occur only in the virtual realm, but the threat has a very real and physical risk, should hackers gain access to your system through unsecured devices such as an unlocked POS terminal with an exposed USB port.
Retailers should physically secure all of their technology, including the point-of-sale (POS), PIN pads, front-office servers and back office servers. This is the first line of defense. Some prevention tips:
Logical Security—Controlling network access is the single most important action retailers can take to prevent security breaches. This includes vigilant monitoring of firewalls, remote access and login credentials. Governing inbound and outbound data flow is imperative, and could prevent more than 95 percent of all system compromises. Some tips:
Software Security – Retailers then must focus on hardening the software on their front-office, back-office and POS systems. PCI PA-DSS is most effective in this security ring, offering protection against data tampering, DLL injection and memory scraping. Some tips:
Data Security – The final step is for retailers to secure the data in their stores and at their headquarters. This innermost ring of protection should guard against unauthorized configuration data changes, as well as unnecessary exposure of cardholder data inside your systems’ RAM. Some prevention tips:
Remember, payment data security is of upmost importance in today’s era of evolving threats. If they can’t get into your system, then they can’t get your data. Be vigilant and proactive to stay out of the headlines!
If you’d like additional insight and analysis into payment data security, contact Ken Harris at Kenneth.firstname.lastname@example.org.