Thursday, October 19, 2006

How a Merchant Can Protect Their Customer's Personal and Financial Information

Visa and the U.S. Chamber of Commerce issued a report on the leading causes of data-breaches.

Here are the top five reasons:

Storage of mag stripe data - The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card's mag stripe in violation of PCI. This can happen because a number of POS systems improperly store this data, and the merchant may not be aware of it.

Missing or outdated security patches - In this scenario, hackers are able to penetrate merchants' or service providers' systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.

Use of vendor supplied default settings and passwords - In many cases, merchants receive POS hardware or software from outside vendors, which install them using default settings and passwords that are often widely known to hackers and easy to guess.

SQL injection - Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant's Internet applications (e.g. shopping carts).

Unnecessary and vulnerable services on servers - Vendors often ship servers with unnecessary services and applications enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack.

Ironically, merchants attempting to protect themselves from fraud (chargebacks) can end up compromising their customer's information by storing "unnecessary and sensitive" data.

Here is what they recommend doing to protect systems from being breached:

Ask their POS or payment software vendor (or reseller/integrator) to confirm their software version does not store mag stripe data, CVV2, PINs or encrypted PIN blocks. If it does, they should have these elements removed immediately.

Ask their payment software vendor for a list of files written by the application and a summary of the content to verify prohibited data is not stored.

Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.

Search for and expunge all historical prohibited data elements that may reside within their payment system infrastructure.

Confirm that all cardholder data storage is necessary and appropriate for the transaction type.

Verify that their POS software version has been validated as compliant with the Visa Payment Application Best Practices. A list of PABP-compliant applications is available at www.visa.com/cisp

According to Visa:

"Merchants are permitted to store only specific data elements from the mag stripe to support card acceptance, according to Visa. This data includes cardholder's name, primary account number, expiration date and service code. However, merchants should store this data only if needed, and they must protect it as required by the Payment Card Industry (PCI) Data Security Standard."

Green Sheet article, here.

More good information on this from the U.S. Chamber of Commerce, here.

If anyone is interested in the number of data breaches recorded recently by the Privacy Rights Clearinghouse (which makes this information relevant), click here.

Data breaches are bad publicity for merchants and they damage the people that support their businesses (customers).

No comments: