7 Security Questions to Ask Your POS Installer

Don’t let a sloppy job ruin your business security.

Brand Barney, Security Analyst
By: Brand Barney
Point of sale (POS) companies, while very skilled at installing systems, are generally not well versed in security. This can lead to very poor maintenance. If you hire someone to set up your POS systems, there are a few key questions you should ask your installer.

Why is this so important? 

My colleague in forensic investigations recently investigated a case where a sloppy POS installation was to blame for 28 independent restaurant breaches.
POS installer

Here’s how it was discovered.

A waitress began to enter in a customer purchase at a POS terminal when she saw the cursor moving by itself on the screen. She told her manager who, very astutely, pulled the network cable and called his processing bank to let them know he believed their systems had been breached.

Here's how it happened.

Turns out, 28 restaurants in the same regional area were breached in a similar timeframe with the only commonality being their POS vendor. There were a variety of POS vendor errors in this particular case, but the one that enabled the attacker to compromise 28 other restaurants was an abandoned installation file containing a partial client list, their IP addresses, and credentials. Why this was included in the installation files, I have no idea. Talk about poor security practices.

SEE ALSO: Plug and Play POS, Can It Ever Be Secure?

Here’s the lesson. Some POS vendors don’t understand security basics. When you consider hiring companies to set up a POS environment, there should be an interview process.

Here are 7 simple questions to ask your POS vendors.Tweet: Here are 7 simple questions to ask your POS vendors: http://bit.ly/1uJFz6f #PCI #InfosecTweet
Hopefully these questions will help you distinguish the POS disasters from the vendors who truly care about your security.

1) Can I set my own username and password?

If a vendor provides POS credentials and won’t allow you to change them, there’s your first red flag. If I were gambling here (which I wouldn’t advise you to do with your sensitive data and systems), it likely means he’s using those same credentials at every other client’s business too.

Setting up universal credentials simplifies their job when performing maintenance, but also leaves your business in danger. They might try to convince you it’s because their credentials are more secure than if you set them up for yourself. That’s a bunch of bologna.

If the installer was really concerned about your security, he should allow you to choose your own password, but should encourage you to follow industry best practices for implementing your password (e.g., your password must be 10 characters long, have at least 4 special characters, and have 2 numbers).

2) How often do you require credentials to be changed?

POS vendors will often make the argument that the more times a password is changed, the harder it is for them to maintain your systems. If he can’t maintain a simple list of his customer’s current credentials to keep passwords straight, he’s probably not managing his environments very well. A POS vendor concerned with security should have a set time frame for passwords to be changed (e.g., every 90 days).


3) How often do you conduct routine maintenance?

A POS vendor’s job isn’t just to install the software/hardware in a one-and-done event. He should constantly be maintaining those systems by installing updates on both operating systems and POS software. Another great question to ask is, “How long does it take you to install software patches?” Anything under 2 days is great. If he takes longer than 2 days to install a patch, move on to the next company.

4) Do you use unique remote access credentials for each POS system?

If your POS vendor uses the same credentials to access your store as another, their breach might soon become your breach. Just like in the example I shared at the beginning, if an attacker discovers a vendor’s remote access password, he now has ready-made credentials to get into any other system using the same credentials. It could be yours. Make sure your vendor uses unique credentials to access your environment.

You should also ask how long your vendor needs remote access to your systems. It is not uncommon for a vendor to gain access remotely and then never disconnect. This is a very poor security practice and should be prohibited. You should keep your vendors access to a minimum and monitor it regularly.

5) Do you maintain our anti-virus?

Depending on your relationship with your POS vendor, they may or may not maintain your scanning. If your POS vendor does maintain your anti-virus, does he regularly check the security logs, or only after a breach? An anti-virus program keeps an eye on your system. It’s pretty independent, but when it finds a problem it needs someone to give it direction. Do you want to delete it, ignore it, or quarantine it? Until someone tells it to do something with that problem, it just sits back and waits. That’s why regular scanning maintenance is so important. If your vendor is not in handling your anti-virus, it’s time to make sure you have it, its up-to-date, and its scanning regularly.


6) Will you set me up with a hardware firewall?

Some POS vendors set their clients up with a hardware firewall as part of the POS installation, but not all. So many small merchants have no security surrounding their POS system. A hardware firewall will help set rules for your system so it won’t get bogus incoming traffic from foreign or suspicious IP addresses. If your POS vendor isn’t planning on setting you up with a hardware firewall, contract with another IT vendor to get one installed immediately.

7) Do you set the POS system up as an application on my back office computer?

Lots of POS vendors just dump your POS system on your back office computer, along with everything else on that computer. That’s a serious problem! You use that computer to order uniforms, track payroll, and email your staff via the Internet. And as we know, the Internet is full of malicious links, software, and downloads ready to compromise your business.

A good POS vendor recognizes the importance of segmenting your POS environment. The best solution is to set up two computers in your back office. On one, you conduct all your business (ordering uniforms, etc.). The other is only for your POS, segmented from the other back office server by a firewall.

If you liked this post, please share!

Brand Barney (CISSP, HCISPP) is an Associate Security Analyst at SecurityMetrics and has over 10 years of compliance, data security, and database management experience. Follow him on Twitter and check out his other blog posts.


A 21-Day Plan for HIPAA Compliance

Spend 10 minutes a day to increase your security.

Tod Ferran, CISSP
By: Tod Ferran
This article was also featured in PAHCOM Journal: Finding Time for HIPAA: A 21 Day Plan

After being tasked with making sure your office adheres to all 157 HIPAA requirements, I bet you’re completely overwhelmed … If you’ve even started the compliance process at all. Don’t worry, you’re not alone. For many hardworking office managers and busy admins, HIPAA is rock bottom on the to do list.

SEE ALSO: You May Not Be Done With Your HIPAA Requirements

Its not just about finding time, it’s about maximizing the little time you do have.

Some have 8 hours a day to spend on HIPAA, and some have 10 minutes. It doesn’t matter who you are, the Department of Health and Human Services expects you to safeguard protected health information (PHI). However, if you’re making a dedicated effort, they will be more lenient after a violation.

Here’s a sample 21-day plan for those limited by time to help you get started.Tweet: Here’s a sample 21-day #HIPAA plan to help you get started. http://bit.ly/1w5QBYGTweet
Take 10 minutes per day to increase your security and inch toward HIPAA compliance. Eat that colossal HIPAA elephant in little teeny chunks.

This security plan isn’t comprehensive, but it’s an illustration of how simple or complex you can make HIPAA to work with your schedule.

Day 1

Get ready to work for 10 minutes! Your first job is to ID all systems/devices/workstations with access to PHI and the Internet. Document them in an Excel spreadsheet. Completing a full inventory would likely take much longer than 10 minutes, so just cover the basics. Does the physician access patient data on his smartphone? Put it on your list! What about EHR systems and network attached medical devices? Record those as well.

Here’s a list of systems you should be thinking about: servers, workstations, laptops, computers, operating systems, applications, software, mobile phones, EHR systems, etc. I recommend asking around the office so you don’t miss any devices or systems. FYI – you’ll be using this list later on, so make sure you’ve established a comprehensive list and keep it updated!

Day 2

Now that you have a list of all systems/devices/workstations, it’s time to document who uses them. HIPAA’s user access rule requires each workstation and device to be used only by those designated. For example, a physician’s laptop should only be used by a physician and the computer at reception should only be used by the receptionist. After assigning and documenting this piece, give all office staff the 411.

Day 3

Change every password you have authorization to change (e.g., computer login, Wi-Fi, email, etc.) and make sure all passwords have 8+ characters, letters, numbers, capitalization, and special characters.

SEE ALSO: Your Usernames and Passwords Are Embarrassing.

Day 4

Conduct a mini morning meeting about passwords. Tell all office staff (including physicians!) to change their passwords using the guidelines from Day 3. Remind them not to log into workstations they’re not supposed to be on (see Day 2).

Day 5

Permanently trash that darned visitor sign in sheet on the reception desk! It’s a security issue even though HHS has indicated they won’t fine you for it. I have yet to see a valid business reason for having one. If you must check patients in, use your EMR system or start an Excel file and type them in yourself. Let everyone in the office know about this change.

Day 6

Conduct a physical office inspection by pretending you are a patient. Can you see any monitor screens from the waiting area? Can you see password reminder sticky notes in examination rooms? Make note of everywhere you can see patient/sensitive information.

Day 7

Fix the problems you found on Day 6. Take down the sticky notes and reprimand their authors. Buy privacy screen filters to place on all office monitor screens. (If you’ve never seen these, they create a narrow viewing angle so the screen is only visible to the person directly in front of it. Cool!)

Day 8

Let’s go shopping today! Count all office trashcans. On your lunch break, buy the same amount of crosscut shredders as you have office trashcans. Place a shredder next to every trashcan. Tape a “No PHI allowed!” sign on all trashcans.

Day 9

Research everything you can about phishing in 10 minutes, including how to recognize a phishing email. (This blog post will help!) Phishing emails are a way hackers con healthcare professionals into providing account data. Once obtained, hackers create new user credentials or install malware into your system to steal sensitive data.

Day 10

In a mini morning meeting, teach staff everything you learned about phishing on Day 9. Show them examples of phishing emails you found online to teach them what to look for. (P.S. Today marks your halfway point. Keep it up!)

Day 11

Remember that list you created on Day 1? Review it, and install anti-virus software on each of those devices/workstations/systems. Anti-virus software scans for viruses, spyware, and malware. I recommend Malwarebytes, Symantec, or McAfee for Windows computers and ESET Cyber Security for Mac. Make sure you purchase the supported versions, set the updates to daily or hourly, and set up a full system scan to run once a week.

Day 12

Finish installing anti-virus software on all office systems (Day 11). For laptop systems or workstations that are turned off when not in use, train staff how and when to run the full system scan. (Leave them on overnight when the scan is scheduled to run. The electricity used is a LOT less expensive than leaving malware on your system!) If you already finished, use today to jump one day ahead of schedule!

Day 13

What would happen if a physician left his workstation computer unattended without a screensaver? People could very easily gain access to patient data. Configure all computers in your office to automatically enable a screensaver that requires a password after a period of inactivity.

Day 14

Mini morning meeting time! Teach all your staff how to enable an automated screensaver on their workstations and ask them to do it by the end of the day.

Day 15

Most software updates contain crucial security enhancements, which is why they are so important to HIPAA security. Check the settings on all your devices (see Day 1 list) to ensure they are updated. If they aren’t, update them. Based on how many devices you have, this may take a while. You may want to update overnight.

Day 16

More updates! It’s time to install updates on everything else, like Internet browsers, firewalls, and point-of-sale (POS) terminals. (You may need to contact your POS vendor to update your POS terminals.)

Day 17

Research all you can about social engineering, the method of manipulating people socially to gain useable data like account numbers or passwords. Social engineers might steal badges, pose as janitorial staff, or try unlocked backdoors to try and gain access to your systems.

Day 18

Teach everyone in the office what you learned about social engineering in a mini morning meeting.

Day 19

Now that you’ve begun to protect PHI at your office, it’s time to plan your HIPAA goals. When do you hope to have your Risk Analysis done? When will your Risk Management Plan be completed? When will you hold employee trainings? When will you review policies and procedures documents? What is your estimated HIPAA completion date?

Day 20

Planning should take longer than 10 minutes. Finish planning out your goals from Day 19.

Day 21

You’ve done it! You made it through an entire month of working on HIPAA every single day but you have a long way before that elephant is eaten. As your last to do, schedule a call with a HIPAA compliance company. They can provide customized plans to help you reach your HIPAA compliance goals.


Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits. Check out his other blog posts.


Should I Outsource My Ecommerce Payments?

Is outsourcing a viable option for reducing PCI scope?

Gary Glover, CISSP, QSA
By: Gary Glover
Creating an easily navigated, customer friendly ecommerce solution is challenging. Building an ecommerce website that conforms to Payment Card Industry Data Security Standard (PCI DSS) requirements is even more difficult. That’s why many ecommerce merchants choose to outsource some or all of their website content.
The million dollar question is, should your business outsource the payment portions of your ecommerce website and leave site security to those with expertise?Tweet: Analysis: Should your business outsource the payment portions of your ecommerce website? http://bit.ly/1w5WVzg #PCITweet
Depending on how you outsource, you may be able to decrease your PCI scope and business risk. PCI scope is how PCI DSS applies to your business. Specifically, any system, application, or process that has access to credit card information is in-scope.

With the introduction of PCI DSS version 3.0, a new SAQ was announced (A-EP) that changed which PCI requirements need to be validated for some types of ecommerce merchants. So how do you figure out which method of ecommerce outsourcing reduces the most scope?

Of course, outsourcing payment pages does not eliminate PCI DSS responsibility. After all, third parties are not weakness-free. That’s why I can’t overemphasize the importance of choosing a PCI DSS compliant service provider who takes security seriously. Consider choosing a Visa-approved PCI compliant ecommerce website host with validated dedication to payments security. If a provider is attempting to pitch you on a cheaper, simpler ecommerce solution that downplays security or claims to be secure, don’t fall prey.

What are your outsourcing options?

  • Outsource entire website: If you outsource the entire ecommerce website to a third party, no ecommerce payment data should flow through your company systems. If you choose to outsource your entire website, (this means no web servers at your company!) your SAQ is A. Do note there is a price tag involved with an entire site’s creation, and you will have less flexibility in regards to design changes.
  • Outsource payment page only: Outsourcing just pages that involve the collection and/or viewing of credit card information is very popular among small to medium merchants. There are about five different ways an ecommerce payment page could be outsourced. The method used will determine your PCI Self-Assessment Questionnaire (SAQ). The key is to understand where the payment data fields actually reside, and to whom that information is transferred throughout the payment process.
The following is a technical breakdown of the five most common ways outsourced payment pages are created.

Redirection Link

In this very common process, customers are passed from the merchant website to a separate, third party site to process the card transaction by clicking on a link or button that fully redirects to a third party site. Traditionally, small merchants use redirection links to minimize scope and reduce liability.


The risk of compromise is reduced to an attacker accessing your web site and changing the link destination to one of his choosing. Since this is a fairly overt attack that requires a more complex backend built by the attacker, the impact related to a redirection breach is very low. This is part of the reason the PCI Security Standards Council (SSC) classifies redirection processing as SAQ A.

IFRAME

An IFRAME (inline frame) element on a merchant web page can be used to view a third party hosted payment page through a seamless window in the source page. 

This solution is very similar to a redirection link since there is no HTML code hosted on the merchant website that is taking any payment data. The biggest advantage of IFRAMEs is they allow the merchant site to maintain branding while outsourcing all card data collection and processing to a third party.


Like redirection, payment pages viewed through IFRAMEs are infrequently involved in card compromises. As such, the PCI SSC classifies merchants utilizing IFRAME as SAQ A.


Direct Client Post

The direct client post (i.e. client side redirect) payment fields originate from the merchant website, but are processed by the user’s browser. This allows the merchant more control over the look and feel of the payment process, and results in no credit card data coming back to the merchant website.

Credit card data is posted directly from the user’s browser to the third party payment service provider (PSP). However, the merchant is still in charge of protecting the location of the payment form code.


Because there is a higher risk of an attacker modifying one of these direct client post pages, PCI DSS 3.0 classifies this processing method as a higher risk and requires merchant to validate using SAQ A-EP.


JavaScript

The JavaScript method is a bit unique in that the customer computer executes code, which comes from the PSP, to create the payment form or operate on payment data in some other way (such as encryption).


Similar to direct post, JavaScript is a moderate-risk ecommerce processing method, and merchants processing in this manner are required to validate to SAQ A-EP.


Traditional Ecommerce

There’s always the option to find or write your own shopping cart, but taking the full burden of PCI DSS on your shoulders is quite demanding. With traditional ecommerce architecture, the merchant controls nearly the entire payment process, which may even include storing credit card data.

It may seem attractive up front because of lower costs and increased control over the payment process, but after considering the effort to develop and maintain full PCI compliance for all ecommerce systems, it’s likely not worth it.

Hackers are always looking for the biggest bang for their buck. In ecommerce processing, traditional ecommerce can be the Holy Grail. Because this approach can lead to a larger breach footprint, it is considered a moderate-risk processing method and requires a full SAQ D validation.

SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches

Next steps

Hopefully now, the reasoning behind certain SAQ ecommerce qualifications is a little clearer. Hopefully you’ve also realized that the outsourcing method you use dictates both your risk and the security you must implement in order to stay secure. PCI DSS 3.0 makes it very clear that merchants hold the responsibility to protect ecommerce transactions that originate from their website.

Whichever way is best for your business, third party outsourcing means you have a few tasks to achieve PCI DSS compliance.
  • Do research to make sure your third party is following PCI DSS, and have a contract to back that up
  • Complete your required SAQ based on your ecommerce methodology and submit a report to your merchant processor

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 9 years of PCI audit experience. Check out his other blog posts.


Why You Need Both a Hardware and Software Firewall

HIPAA compliant firewalls in 60 seconds.

Tod Ferran, CISSP
By: Tod Ferran
How do you block access to your systems (and sensitive data) from hackers in the outside world? The easiest way is through a firewall. Firewalls block bad guys from intruding into your private systems, while still allowing you to access the Internet and communicate with the outside world.

Learn more about firewall basics here: How Does a Firewall Protect a Business?

So how does this apply to healthcare? Every organization that deals with sensitive information (such as credit cards, patient health data, or government records) should have both a hardware and software firewall to protect them from attackers.

Watch the video below to learn best practices for healthcare firewall security in just 60 seconds. 


So how exactly does a firewall help me?

A software firewall regulates data traffic through two things: port numbers, and applications. Depending on your firewall settings, your firewall could stop programs from accessing the Internet, and/or block incoming or outgoing access via ports. 

SEE ALSO: Understanding the HIPAA Application of Firewalls

For example, Port 80 is your Internet connection. Leaving outgoing Port 80 open is ok, because that is what allows you to browse the Internet. Leaving incoming Port 80 open is a different story. If it’s left open, anybody could access your network through Port 80.

One downside to a software-only firewall is that you have to train and maintain the software to recognize threats. As you add or update programs, your firewall will block them, until you tell it not to. Additionally it only protects the device it is installed on. That’s what it does by design. 

For a firewall to be effective, you must have enough knowledge to know which programs and applications to allow, and which ones not to allow. 

SEE ALSO: How to Configure a Firewall in 5 Steps

But, software firewalls are only half your defense. All networks (whether small or large) need a physical hardware firewall. 

A physical hardware firewall is placed between your office network and the Internet and guest wireless (if you have one). We often call this a ‘perimeter firewall’ because it is protecting our network and systems at the perimeter of the outside world. It not only adds a layer of protection to our workstations, it also protects network devices such as printers, medical equipment, and telephone systems which often don’t have a software firewall available on them. 

Why both a hardware and software firewall? 

The difference between hardware and software firewall is this: A hardware firewall protects you from the outside world, and a software firewall protects a specific device from other internal systems.
Basically, the software firewall helps protect you from yourself.Tweet: Basically, a software firewall helps protect you from yourself. http://bit.ly/12JhF5a Difference between firewallsTweet
For example, if someone tries to access your systems from the outside, your physical firewall will block them. But if you accidentally click on a virus-laden email that’s already managed to get into your system, your software firewall on the other computers in your office network may stop it from infecting them.

Don’t be a hero

Even if you have both a hardware and software firewall, they may be useless unless you have the right people monitoring and managing them. 


We’ve all heard about the Target breach of over 40 million credit cards. Did you know Target IT staff received firewall alerts 5 days and then again 3 days BEFORE any data was stolen? These alerts were ignored, which allowed the bad guys to continue the attack. 

It does no good if you don’t have the technical expertise to work with firewall rules, understand them, and react to the alerts generated. Contract with an IT professional to help you set up and maintain this crucial portion of your healthcare security.

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits. Check out his other blog posts.


5 Commonly Overlooked Security Errors

How most service providers fail PCI DSS audits.

This article was also featured in the TSYS Ngenuity Journal

By: Mark Miner
PCI security assessors visit service providers to poke through every nook and cranny of company policy, documentation, and network security for PCI compliance. Ninety-nine percent of the time, we find problems, even in well-established organizations employing experienced IT staff.

Most organizations get the obvious requirements, like encrypting card data. However, some important aspects of PCI are often missed. I’ve used my experiences over the last six years to compile a list of top security mistakes service providers make. Hopefully, it will aid you in your quest for data security and PCI compliance.

1) Not understanding your scope…and what data you’re storing

A group of blind men come upon an elephant in the middle of the road. Each touch one part of the elephant to figure out what it is. One touches the elephant’s trunk and thinks it’s a snake. One touches the elephant’s leg and thinks it's a tree. One touches the elephant’s ear and thinks it's a fan.

Departments sometimes act like the blind men when it comes to defining their PCI scope. Chief technology officers decide which Self-Assessment Questionnaire (SAQ) applies without consulting other departments. IT departments make network decisions without understanding segmentation. Upper management makes plans for a new POS terminal without advising IT of their new responsibilities. In many instances, a view at the whole picture is neglected.

SEE ALSO: PCI 3.0: What You Need To Know

Just the other month, I spoke with an IT administrator who assured me the encrypted table in their department was the only place the company stored card data. Period. A few days later while talking to a help desk manager, I found an application that allowed customer service agents to type unencrypted credit card data in a comments field. See why interdepartmental communication is crucial to understand your PCI scope?

To finish the story, it’s only after the blind men collaborate that they figure out what they’re touching is an elephant. In order to correctly scope your environment, all departments in the organization must collaborate.
If all departments aren’t involved in understanding and defining your card data environment, you’re left with a partial picture and insecure environment.Tweet: If all depts. aren’t involved in card data environment definition, you’re left with a partial picture: http://bit.ly/1zJj2dOTweet

2) Thinking that policy is just paperwork

When people think encryption, they think security. When people think policies and procedures, they think boring paperwork. 

A few years ago, I helped a large company through their painful first year assessment. The next year, they transferred the card environment responsibility from one technical group to another. The problem was, they hadn’t communicated policies to the new group, who thought the environment was more complicated than necessary. So, they removed all network segments controlling card data security. Because someone forgot to clearly communicate policy to this new IT group, they had to go back and re-architect everything, making their second security assessment as painful as their first.

Having clearly written policies and communicating those continuously to employees is a critical part of having a secure environment. If corporate management pushes the culture of security through company policies, it gives the “why” that guides employee decisions. If there is no “why”, people may fail to correctly implement controls, or may implement them sporadically and leave gaps in security.

3) Failing to sufficiently secure inbound and outbound access to the card environment 

Breaches resulting in loss of cardholder data are rarely caused by one looming problem. Multiple issues like overly broad permissions, insecure remote access, and lack of file integrity monitoring all have a part in leading to card compromise. This is how it is with most breaches. 

A business’s last line of defense is its access controls (also known as firewall rules.) Most threats can be blocked by simply and selectively restricting access to places in the card environment. 

Unfortunately, secure access controls are rarely set up correctly. In fact, I see insecure inbound and outbound firewall rules in 90% of first time assessments. It’s common for people to make their outbound access rules overly permissive, or protect the wrong systems from malicious inbound traffic. When considering access controls, don’t forget the outbound rules. If correctly configured, these rules can help prevent attackers from getting card data out of the environment.

4) Not keeping systems up-to-date 

Hackers and their sneaky tools find ways into organizations through vulnerabilities. The best way to avoid these vulnerabilities is by installing software updates that contain essential security enhancements. 

I conducted an assessment of a merchant whose main POS system server hadn’t been patched for 12 years -- 12 years! Needless to say, the system had a vast number of vulnerabilities. He hadn’t applied patches because he was convinced patching the system would break things in the process. Eventually, he had to replace the entire system because getting to current patch levels would be too difficult.

5) Assuming log monitoring is only for forensic investigators

Companies are great at monitoring logs for performance, but when it comes to log monitoring for security they really need to step up their game.


Most people incorrectly view logs as important only after an event has occurred. What they may not realize is if they carefully monitor logs they can stop a breach before it even happens, or at the very least limit data loss. 

SEE ALSO: Why Encryption is (Sometimes) Not Enough

A colleague of mine examined a business’s logs as part of their first time assessment. While reviewing intrusion detection system logs, he realized the company was in the process of being breached! It was truly lucky that my colleague sampled those logs. Because of the company’s lack of log monitoring, they probably wouldn’t have caught it until customers began complaining of stolen cards. In this situation, they had the notification tools in place, but weren’t bothering to watch them. 

You can do it!

Without proper preparation, most organizations would fail their first PCI assessment. PCI compliance is difficult. There are many security aspects that service providers might never have considered. If service providers fix the five top problems I’ve listed, they’ll be way ahead of most, and much more resistant to compromise.

Mark Miner has been a Principle Security Analyst at SecurityMetrics for over 6 years. He is responsible for overseeing the activities of the company’s assessment teams and has completed over 80 PCI DSS and PA-DSS security assessments.