Earlier this week, Symantec warned all of its users to stop using its pcAnywhere software due to security breaches.  If you currently use pcAnywhere, we strongly urge you to disable the software.

On January 25, 2012, Symantec issued a statement that their remote access product pcAnywhere is potentially vulnerable to attack due to an external security breach.

Symantec is recommending users disable their pcAnywhere software until all known vulnerabilities have been patched and resolved.  If pcAnywhere is critical for business functions and cannot be disabled Symantec has advised customers to be sure they are running the latest version of pcAnywhere (12.5) and that all systems are current with the most recent patches and updates available.

We heavily recommend disabling pcAnywhere from any computers or devices until Symantec has provided a new version of the software that addresses these security risks.  Failing to do so will increase the risk of a security breach, especially if the software is used over the public un-encrypted internet.

For more specific information regarding the announcement, please visit the links below:

Symantec Security Recommendation PDF
Ars Technica article
BBC article
PC World article

Becoming PCI compliant can be a very confusing and complicated process. So, let’s take some time to clarify some of the common misconceptions surrounding PCI compliance, making it easier and more understandable.  A key thing to realize, no matter how much we wish it weren’t the case, there is no simple one-step solution to PCI compliance. There are numerous requirements your business needs to meet, in order to be compliant.  Here are some ways to help you achieve it!

1. Understand your responsibility in meeting the 12 requirements at all times!

The PCI DSS is a collection of 12 mandatory guidelines that help you manage your business and keep payment card data safe and secure.  Because information security is an active and dynamic part of your business operations, there are various requirements that need to be addressed daily, monthly, quarterly and yearly.  At the end of the day, these requirements were created to protect businesses and their customers by minimizing risk of a breach.  Additionally, they help to ensure consumer confidence, preserve store owner longevity and maintain brand integrity.  (more…)

Based on the credit card breaches we saw in 2011, it is becoming clear that a merchant’s POS system and payment application software are the primary attack vectors for criminals worldwide that are trying to steal credit card information.

Look at the recent discovery of 150 compromised Subway POS systems that resulted from a logging application being installed.  The breach, dating back to 2008, has led to 80,000 customers being impacted for a total of around $3 Million. Another company, Smart Mart, disclosed that they recently discovered 23 self-service checkout terminals had been compromised leading to over 80 employees and customers having their credit card information possibly compromised.

These two examples remind us that there were a number of things that could have been done to stop the Bad Guys but were not. Here are a few areas where they fell short:

1. Failure to train employees to physically inspect POS terminals and card swipes every day. Smart Mart discovered the tampered card readers during routine maintenance. Do not wait for routine maintenance to find altered POS/terminals. Inspect them every day! And by the way, when those Maintenance people do show up for a service call, make sure they are challenged by store owners and employees…verify they are who they say they are before you give them access to your credit card systems.  (more…)

Now that you know what a SAQ is, and all of the different SAQ’s that are available for you to self-validate, let’s take a look at the 12 requirements that define the Self-Assessment Questionnaire.  Keep in mind that there are five different SAQ’s that a merchant can fill out based on the way the merchant processes, transmits or stores cardholder data (CHD).    There are a variety of questions you need to answer for each SAQ that are specific to these requirements; however, not every SAQ has questions under all of the 12 requirements. Here is how it breaks down:

Build and Maintain a Secure Network

Protect Cardholder Data

(more…)

Anyone who uses a debit or credit card is susceptible to having their credit card information stolen.  From a restaurant owner’s perspective, not only are your customers at risk when they use credit cards at your establishment, but you are also at risk when you use your card at other businesses.

It is estimated that a data breach at the foodservice wholesaler, Restaurant Depot, compromised the credit card information of up to one million of its customers.  Yes, MILLION.  Of those million customers, all are business owners and predominantly restaurant owners.  On the company’s website they describe themselves as being in business purely to supply the needs of the food service industry.   The Restaurant Depot, which also owns the Jetro Cash and Carry chain, has 81 locations nationwide, which all were breached in the incident.  (more…)