Resources from the PCI Council: Payment Data Security Essentials
Series of infographics and videos to help merchants with common security issues.
The Payment Card Industry Security Standards Council (PCI SSC) recently announced the release of their “Payment Data Security Essentials” video and infographic series to help merchants with the most common causes of data breaches. These three issues: insecure remote access, weak passwords, and insufficient patching, represent much of the “low hanging fruit” that hackers can leverage to successfully attack and steal data from businesses.
Too often, organizations miss these problems and leave their data vulnerable. And it’s not just the companies with massive, highly publicized data breaches that make these critical errors. Smaller businesses actually tend to be more at risk, usually due to a lack in resources for security—we just don’t hear about them as often.
INFOGRAPHIC: 2017 PCI DSS Data Breach Trends
The PCI Council notes that these factors represent the “bad news,” but the good news is that education in these areas can help merchants better focus their resources to tasks that will provide the most “bang for their buck.” Each video is under three minutes and gives actionable tips for merchants. Infographics are printable, illustrate the risk associated with each security issue, plus they outline additional resources for each problem.
Insecure Remote Access
The SecurityMetrics Forensic Team found that in 2017, 45% of breached organizations were accessed by attackers through remote access. Remote access remains one of the most common hacking attack vectors because businesses often configure their remote access application insecurely.
In addition to proper configuration, organizations should limit employees’ access to remote access and implement multi-factor authentication.
WEBINAR: Understanding the New Multi-Factor Authentication Supplement
Check out the PCI Council’s remote access informational video and infographic to learn more about how you can implement these security practices at your business.
WHITE PAPER: Configuring Your Remote Desktop
Passwords remain a weak point overall for cybersecurity. It’s not out of reach for a hacker to “brute force” a password, especially if it's simple or common. Online, there are readily available lists of default vendor passwords, including extremely common ones like: 1234, guest, user, pass, access, admin, pass, password, [name of product/vendor], root, anonymous, sa, database, or secret.
To minimize the risk of a breach, you should change vendors’ default passwords, make the new passwords sufficiently complex, and never share them.
Check out the password informational video and infographic to learn how maintaining proper password practices will protect your organization.
SEE ALSO: PCI Requirement 8: Combatting Weak Passwords
Recent high-profile hacks like Equifax and others have hinged on unpatched software. Most software will have flaws or need to be updated at some point, so most vendors will regularly send out updates to their customers. These updates include “patches” that fix vulnerabilities, and if businesses don’t stay on top of them, these well-known (in the hacker world) vulnerabilities can make your business an easy target.
Whether you are an e-commerce business or use point-of-sale hardware, you need to keep your patch updates timely and thorough. To do that, you should know who makes your software and devices, and then make sure you subscribe to their update lists and emails. Find out if they run automatic updates, or if running them is your job.
LEARN MORE: 2018 SecurityMetrics Guide to PCI DSS Compliance
Some installers and resellers have actually been trained by the PCI Council to address critical security controls while installing merchant payment systems. They are known as Qualified Integrators and Resellers (QIRs), and you can find a list of them here.
Searching for vulnerabilities that may need patches can be done with scanning software. The Council’s patching informational video and infographic include tips for communicating with vendors, as well as resources to find PCI Approved Scanning Vendors (ASVs) to perform your vulnerability scans.
SEE ALSO: PCI Requirement 11: Vulnerability Scanning and Penetration Testing