Since aligning merchant levels with Visa, MasterCard has recently rescinded its requirement from earlier in the year that directed PCI DSS compliance assessments be performed only by a Qualified Security Assessor (QSA). Level 2 merchants are still expected to successfully complete an annual Self-Assessment Questionnaire (SAQ), but effective June 30, 2011 they must also complete an annual accreditation program that includes merchant training. At their own discretion, merchants can choose to complete an annual onsite assessment conducted by a QSA instead of a SAQ.
Although MasterCard’s initial decision was frowned upon by merchants, experts note that the dropped on-site assessment requirement is a step backward for the card brand in regards to pushing PCI compliance. Level 2 merchants will save money with the revised requirement, but ultimately some are at greater risk because of limited knowledge of the PCI DSS. Self-Assessments need to be completed by individuals that have a core understanding of the PCI regulations. Hopefully the accreditation program will better equip merchants with that knowledge.
Another year is days away – we are all in a mad scramble to wrap up the year and prepare for the next. Making a plan for 2010, figuring out how much money to spend, and what to spend it on can seem like a blind game of darts. In the past year we have experienced many changes involving business, the economy, and the market. Looking ahead we must invest our time and money into things that will sustain and secure our business. Although many wish to avoid it, PCI compliance should be at the top of the list.
One thing that has been clear in the realm of PCI compliance is that it is NOT going away. We have seen elevated legislative activity, more breaches, accelerated validation, and the imminent new version of the DSS.
This bit of clarity lends itself to establish one clear goal for 2010: TIME TO FOCUS. Many merchants are still in a “wait and see” mode. This type of approach in the end only creates more cost and increases risk. I have seen many merchants facing large fines due to non-compliance, forcing swift implementation of technology all because they failed to act. This last-minute approach certainly calls into question the quality and sustainability of compliance in the organization over the long run. Is all the activity actually improving security, or is it about avoiding fines?
The history we have paints a clear picture for the future; so “wait and see” time is over. Depending on the complexity of your organization you can set a 4 month goal to reach PCI compliance. Let me list a few high-level items:
Get executive level buy-in and commission the initiative
Do a gap-analysis, look at the DSS (not an SAQ) and figure out what is lacking – Focus on the right thing to do, not the easiest
Evaluate vendors for products and services – look for vendors that actually facilitate security, not just push the validation paper around. Outsourcing to a trusted vendor often reduces implementation times and lowers costs. There is something to be said for specialization.
Communicate – get the team together, this is the new way of operation for your organization, so you must start now to shape the culture.
Set a deadline – setting a goal for you, your organization, and your vendors makes for a united front.
Is this over-simplification? Maybe, but the concept is solid – it is about resources and attention. PCI compliance is achievable and sustainable if we treat it like any priority. It might feel like the taste of broccoli when we were 5, but we quickly learn it isn’t so bad. So for 2010, why not hurry up and eat your vegetables before you’re left at the table?
In the Food Industry almost all Point of Sale (POS) systems have the need to access systems remotely for service/update purposes. Unfortunately, these same POS vendors and resellers have not paid much attention to the PCI Data Security Standard (DSS). Rather, the focus has traditionally been around the Payment Application Certification or PA-DSS, which primarily deals with means of encryption to send cardholder data over the internet. Going into 2010, this certification is mandatory.
This specific breach of Radiant’s system could have been prevented in so many ways. It is not for me to say who’s responsible, but rather point out what went wrong and provide actions steps on how to prevent this from ever occurring again.
The DSS is very specific about remote access and access control. Many of the requirements are dedicated to these specific areas and identify exactly what is REQUIRED.
Multi-factor Remote Access- This is a system that uses multiple factors is conjunction with each other in order to authenticate. Using more than one factor generally delivers a higher level of authentication assurance. Multi-factor authentication is typically a sign-on process where a person proves his or her identity with two of the three methods: “something you know”, “something you have” or “something you are”. You cannot use the same method twice.
Most remote access tools are not equipped to provide such means of authentication and rely on traditional user ID’s and passwords as mentioned in the article. Unfortunately, when common ID’s and passwords are shared it leads to mass vulnerabilities. It’s important for merchants and especially brands to monitor this access and be sure they are using a method of multi-factor access. An example of this would be when authentication is conducted on a user-basis, in which a person must enter an ID and password to receive a 5 digit random code which is then sent via email or SMS text to the user for final authentication. In addition, there is an option to have a phone call upon authentication which provides the code as well. Lastly, there are smartcards, tokens or keys that are needed for final authentication as well.
Using any of these methods certainly would have mitigated the risk of this breach from occurring.
Strong Access Control- Having the ability to assign each user their own account is key to assuring security while using remote access. Anyone having the access to a remote system is required to have their own account and multi-factor authentication. Equally important is the ability to properly administrate this access and have a complete reporting tool of when and which user is authenticated. The SecureConnect® tool for example, provides a visual dashboard of all users and their history. This is particularly important for forensic purposes as well in case a breach were to occur.
Beyond this, there were other issues internally regarding the storage of data within these POS systems, however none of it could have been accessed if the proper remote access technologies were implemented.
Again, it is not my position to say who is responsible in this particular case, however as a business owner and/or franchisor it’s important to work with all parties including the vendors to be sure the proper technologies are in place to prevent such a breach.
DVR Camera Systems have quickly become a standard for many owner/operators in the restaurant industry. The reason here is two-fold. From a security aspect, operators are able to capture malicious activity from both employees and patrons. Second, is the owner’s ability to remotely monitor traffic at any time. The value is significant, allowing owner/operators to better manage their restaurant(s) out of the office.
The challenge however, is integrating DVR technology into the store environment from a security and PCI Compliance perspective.
Most of these systems require remote access into the store to view these cameras and generally require specific open port access which creates several problems from a security standpoint. Not only does this propose a vulnerability to the network by having these ports open, it more than likely will fail a vulnerability scan that most acquirers require for validation of compliance. Additionally, it is REQUIRED that any remote access to a network has multifactor authentication to gain access to these same cameras. Most DVR systems do not have this.
So what is the solution in order to integrate such a system? Depending on the type of DVR system, most can be accessed through a Virtual Private Network (VPN) such as the one SecureConnect® provides. The best solution, however, is to keep the DVR completely separate from the primary store network. This generally requires a separate broadband connection dedicated to the DVR to ensure complete security. A more challenging scenario is when DVRs are integrated within the Point of Sale (POS) Software and can be accessed on a transaction level. For those systems it becomes even more difficult because network segmentation is not an option. Again, the only solution under this scenario is to utilize a VPN like SecureConnect®.
Some new DVR manufacturers are now providing the capability of hosting the playback on an outside server. These systems cover all aspects of PCI compliance because they never require remote access to the stores nor do they require open port access. Instead, DVR systems merely “push” content to the server. Many times under this scenario there is a simple web based interface to see the playback content.
Please contact SecureConnect® if you are unsure how to identify which system you are utilizing and how to correctly integrate it within your restaurant environment.
When you place a takeout order, what happens to your credit card number when the employee writes it down? An independent audit of 100 of the top restaurant chains in the U.S. revealed that 80 percent of those chains have at least one unit putting customers’ identities at risk of theft. As part of a study, GoMobo.com evaluated the actions restaurant employees take when accepting takeout orders. Employees offering to write down a credit card number violate PCI regulations.
“The PCI Risk Rating Study found that a number of restaurants are in violation of PCI regulations. The violations involve employees who write down credit card numbers given to them from customers ordering over the phone.” – Sam Oches, QSR Magazine