The news of data breaches is a regular occurrence, raising concerns not only among consumers but among businesses that process credit cards. The Identity Theft Resource Center reports that there were 614 breaches in 2013, an increase of 30% from 2012. Of those breaches, approximately 15% exposed credit or debit card information. Included in that report are recognizable names like Target, Adobe, and Travelocity. Protecting your business from a data breach takes a comprehensive approach. You can avoid the biggest vulnerabilities (as identified by Visa) by achieving PCI compliance and by following these tips.
1. Make your passwords difficult to crack.
The systems that today’s cyber criminals use can easily crack most passwords that you create, especially if you make it easy for them. Using vendor supplied, default passwords or repetitive and predictable patterns for creating passwords leaves your organization extremely vulnerable for a breach. The Target data breach, for instance, was caused in part by a vendor supplied, default password that was never changed. Services like LastPass, KeePass, and AgileBits, generate random passwords that are difficult to crack. You only need to create and remember one really strong master password and the services create and manage highly secure passwords for all of your websites and systems.
2. Don’t store credit card data, including CVV and Track Data.
Even if you are encrypting or tokenizing the actual credit card number, you don’t want to store CVV numbers or track data. The purpose of the CVV number is to prove that the card holder has the card in hand. They should be able to give the CVV number to the retailer every time they place an order. Track data is the information that is on the magnetic strip of a credit card. Make sure that CVV and track data aren’t held, even encrypted, on any logs or anywhere in storage.
3. Maintain security patches.
Viruses and malware often enter systems at the application layer and secondarily through the operating system. Some of the most frequent breaches come in through Adobe Flash and Java, so you want to make sure your systems are always current with updates and security patches. If you are using applications or an operating system that is no longer being maintained and patched by the publisher, then your systems become extremely vulnerable. In April 2014, Microsoft Windows XP ended support and is no longer providing security patches, so all organizations using Windows XP should upgrade to a new operating system to remain PCI compliant.
4. Beware of SQL injections.
Have you heard of Little Bobby Tables? Little Bobby Tables is an xkcd cartoon that demonstrates how easily SQL injections can occur. SQL injections are commands that are sneakily included in what should be normal user data. In the Little Bobby Tables cartoon, Bobby Tables’ name appears as Robert ‘); DROP TABLE Students; which is a SQL injection that caused the loss of all the student data at Bobby’s school. The solution to avoiding SQL injection attacks is to sanitize all of your data inputs.
5. Eliminate servers and services that you don’t need.
When you purchase a server or services, like a wireless access point, they often come with features activated that you don’t need. Every active feature makes the attack surface larger and the goal is to have the smallest active attack surface. The more services that you have on a server, the more vulnerable that server or service becomes. Only run the services that you actually have a business need to run in order to limit your exposure to an attack. Don’t just run the defaults.
Protecting credit card data requires a comprehensive plan and regular maintenance. Achieving and maintaining PCI compliance is a paramount step to avoiding a credit card data breach. For more information on PCI compliance, visit https://www.pcisecuritystandards.org/. For information on PCI-validated credit card processing software for Microsoft Dynamics NAV, visit www.chargelogic.com.
