The Top 5 Security Best Practices for Small Merchants. Simple, affordable steps to protect your business from data thieves

Transcription

1 The Top 5 Security Best Practices for Small Merchants Simple, affordable steps to protect your business from data thieves A White Paper May 2012

2 Information Security and Your Business. Stories of hackers and data breaches appear in the news on a near-daily basis, yet studies show that many small merchants are unaware of the steps they should take to protect their businesses from data theft. In fact, the annual ControlScan Level 4 Merchant Study has consistently found that not only are many small merchants unaware of their vulnerability to attack, they are complacent about the impact a breach can have on their business. Even the smallest data breach can have a business-ending result for the average merchant: Costly fines In 2011, more than 95% of the merchants experiencing a data breach had not complied with the Payment Card Industry Data Security Standard (PCI DSS); when not compliant, the breached merchant is often subject to fines from its payment card brand and/or acquiring bank. Recovery-Related Costs Merchants direct costs associated with recovering from a security breach average $194 per stolen record. Given that the typical breach involves tens of thousands of records, the results can be catastrophic to the business. Small merchants could find themselves out of business should a data breach occur. Brand/Reputation Damage If the fines and costs related to the breach aren t enough to topple the business, the loss of consumer trust could be the catalyst. Currently, only public companies are required by law to report breaches; however, this requirement may expand to private businesses in the near future. Think you re not vulnerable? According to Verizon s 2012 Data Breach Investigations Report, which examined 855 incidents affecting 174 million compromised records, 96% of attacks were not highly difficult and 97% of breaches were avoidable through simple or intermediate controls. As a small business owner, your systems are actually the most vulnerable to attack because, according to Verizon, target selection is based more on opportunity than on choice. This educational white paper addresses the top five best practices small merchants can put in place to easily and cost-effectively protect their businesses against data breaches. We will examine each of the best practices in detail, discussing the benefits and opportunities associated with each activity. Our goal is to help you be proactive in your information security approach so that your business becomes a less likely target for data thieves. 2

3 Best Practice #1: Understand Your Sensitive Data, Where It Is, and Who is Responsible for its Protection. Owners of even the smallest businesses need to understand what happens to each customer s sensitive data as soon as it leaves the customer s hands and enters the business s data processing, storage and transmission systems. As the customer s information moves through your business processes, it is critical to maintain that data s security and integrity. What is Sensitive Data? Sensitive data can be financial information, such as account numbers, as well as any personally identifiable information (PII) that can be linked to an individual. While much of the focus is often placed on credit card data (due to its financial implications), it is helpful to also consider PII such as phone, social security and driver s license numbers, as well as home and addresses. In today s era of information privacy and the consumer expectations that surround it, it is increasingly important that businesses protect customer contact and credential information with the same discipline as card data. Fraudsters are adept at leveraging pieces of personal information to exploit consumers, including sending phishing s that appear to originate from a trusted source such as the recipient s bank or credit card issuer. What is the PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) was created by the major credit card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.) to establish a security standard and specific measures merchants must take to protect cardholder data and minimize the risk of a security breach. All merchants who process, store or transmit credit card information are subject to the PCI DSS; essentially, any merchant who has a Merchant ID (MID). For more information, visit Where Does Your Sensitive Data Live? It is critical to understand and identify all the places within your office environment, business processes and systems that sensitive data is captured, exchanged or stored. While online and transactional business systems are an obvious place to consider, it is not unusual for data to be pulled into spreadsheets and left, forgotten, on hard drives or USB sticks. Cardholder data and PII may also 3

4 be jotted down on paper in the course of talking to the customer over the phone. It s important to identify all these places, as well as the business processes that are involved. For example, if employees are jotting down information on paper, you will want to update your processes and systems so that this no longer occurs. Who is Responsible for Data Safekeeping? A significant first step to putting security controls in place is assigning individual responsibility and accountability for monitoring and protecting the sensitive data your business handles. Next, create a simple spreadsheet that documents the various types of sensitive data your business is handling (cardholder data, addresses, etc.), the location of any and all data, and who has responsibility for it. Be sure to review this spreadsheet on a quarterly basis at minimum, to ensure that the information it contains remains current. Best Practice #2: Avoid Storing Sensitive Data And if You Have to, Secure It. One of the easiest steps toward lowering the security risk to your business (and reducing your scope for complying with the PCI DSS) is to not store cardholder data, period. Examine the spreadsheet you created as part of Best Practice #1 to evaluate where your sensitive data resides. Ask yourself with each line item: Does this information really need to be retained and stored? The more items you can remove from your spreadsheet (because you aren t storing the data), the better. Here are some tips on ways to eliminate information from being stored in your system/network: If you are an ecommerce merchant, utilize a check-out or payment page, hosted by a PCI-compliant service provider, to process your customers payment information outside of your own business network. If you accept physical credit cards, consider moving to a point-to-point encryption solution that encrypts card data from the point that it s swiped up to the payment processor. If you use portable storage devices or laptops to store or transfer data, make sure that the data is encrypted. Recent studies show that small merchants are typically reactive in applying the above approaches, much to their own detriment. The easiest and most cost-effective way to incorporate the above steps is to outsource to a PCI-compliant service provider (see Best Practice #5). 4

5 Have to Store Data? Secure It. If there is a significant business reason for you to store sensitive data, the following steps will help you secure it: Limit database access to only those who absolutely need it, giving those parties their own, unique credentials; Do not store authentication data for either your employees or your customers; and Implement a tokenization solution to enable repeat online customers to securely store and access their payment information. Again, the best thing you can do for your business is not store cardholder data or PII at all. Securing sensitive data means limiting user access and segmenting network systems. Network Segmentation is Key to Security. Systems that store, process or transmit sensitive data cardholder data in particular should be segmented away from the rest of your business network. While network segmentation can sound daunting, more and more solutions are coming to market that simplify this task. With cloud solutions proliferating, there are more options emerging for managed firewalls in which experts oversee the deployment and ongoing management of firewalls remotely. These firewalls offer native segmentation abilities, allowing the point-of-sale (POS) network to be plugged into one port, and the rest of the network to be plugged into another. A managed solution can ensure that the POS network is locked down, that additional devices can only be added on an authorized basis and that communications can only occur with approved targets. 5

6 Merchant Location Non-POS Network Normal two-way communications with the Internet; not PCI compliant Internet POS Network Locked down and only allows one-way communications with Payment Processor; completely secure and PCI compliant Payment Processor In the diagram above, the firewall controls the traffic from the POS network, directing it to the payment processor and refusing communications from any other source. Meanwhile, non-pos devices including guests on the wireless network and back office PCs are able to access other destinations across the Internet. These same firewalls can provide the added protection of filtering out or blocking sites that you don t want employees or guests reaching, and typically contain anti-virus or anti-malware themselves. Best Practice #3: Protect Your Perimeter with Firewalls; Ensure You Don t Leave Back Doors Open. Good security incorporates defense in depth, or multiple layers of protection. One of the primary requirements of the PCI DSS is to have a properly configured firewall in place, because for businesses with an Internet connection, firewalls are a first line of cyber-defense. It s common for small merchants to either purchase a consumer-grade router from their local electronics store or plug in the firewall that their franchisor sent them. Default settings are typically left as-is, and the merchant moves on. 6

7 The issue with plugging in and forgetting your business s firewall is that a poorly configured firewall is only slightly better than no firewall at all. According to the United States Computer Emergency Readiness Team (US-CERT), the most common configuration mistake is not providing outbound data rules, which can leave the business open to external attack. Therefore, it is imperative to properly configure your firewall according to the way your business handles data. Hackers are skilled at locating and exploiting security holes and network vulnerabilities. Protecting your perimeter means checking for any unprotected holes that could allow attackers to gain entry. The most common mistake is a remote access service that has been left up and running with a weak or, even worse, a default user-id and password in place. This often happens when consultants, contractors or VARs want to conveniently access business systems remotely in order to provide support. You can mitigate this security risk by limiting remote access to your network, ensuring remote access is only enabled when it has to be, and requiring vendors to use two-factor authentication for access. (Two-factor authentication goes beyond a password, requiring that a token be presented to the system in order to gain access.) If your business utilizes Internet-facing Web applications in particular, an ecommerce site that accepts card payments requirement 6.6 of the PCI DSS requires that you either utilize a Web Application Firewall (WAF) or have your website reviewed annually (or after any changes). Most merchants don t have the resources to engage a technical expert to review their site after changes, so a WAF is the optimal alternative. WAFs work by examining the inbound traffic seeking access to your website and blocking what is found to be illegitimate. This is important, because many Internet-facing Web applications are supported by an underlying database containing all kinds of sensitive customer data. Managed Security Services can be Affordable. Proactively arming the perimeter of your network is a wise business decision that requires an up-front investment. The best way to control your spending while maximizing the investment s outcome (e.g., a correctly configured firewall) is to procure managed security services from an expert provider (an MSSP). 7

8 Fortify your interior with regular training that unifies employees security mindset. Managed security services offer an uncomplicated, cost-effective way to bring enterprise-level security to your small business. Small merchants especially those who process or store card data should consider a managed service offering to meet best practices for securing data and to comply with the PCI DSS. Managed security services allow firewalls to be implemented, configured and administered on a remote basis, making them a simple and affordable solution. Like network firewalls, WAFs are becoming increasingly available as service offerings, allowing merchants to tap into outside expertise at a manageable cost in order to protect their website and the data behind it. Best Practice #4: Fortify Your Interior with People, Procedures and Technology. According to studies like Verizon s, internal threats are far less likely than an external hack. Still, each year, many breaches are caused by careless handling of data or even malicious employees selling customer data to outsiders. It is a best practice to mitigate security risks associated with your people and the internal procedures and technologies they rely upon to conduct business. Your People: Training, Access, Vigilance. One of the weakest links in the security chain is humans your employees. An example of a recent, highly publicized breach that originated through human error is the RSA breach. The security hole occurred when an employee unwittingly opened a booby-trapped Excel file contained within a phishing . The Q attack, which targeted sensitive data related to RSA s SecureID token authentication technology, cost the company $66 million in Q alone. 8

9 Security awareness training is a critical, ongoing requirement for all employees, no matter the size of the business. The PCI Security Standards Council (SSC) has placed significant weight on employee training, making it mandatory for the PCI compliance of every merchant completing its Self Assessment Questionnaire (SAQ) versions B-D. Small merchants should conduct security awareness training on an annual basis and include specific instructions for how employees should handle sensitive information and credit card transactions. Keep in mind that, like many other security services, employee security awareness training can be procured affordably over the Internet or is often available at no additional cost as part of most conventional PCI compliance programs. As mentioned under Best Practice #2, it is imperative that you restrict access to only those employees who absolutely need to handle sensitive data. This practice relates to the concept of minimizing the scope, or surface area, that needs to be protected. Develop an internal security process that reflects your changing business needs. Vigilance is required on the part of all employees, but especially on the part of the person you ve made responsible for monitoring and protecting your business s sensitive data (see Best Practice #1). The following are suggestions to exercise this vigilance (source: Test your systems repeatedly to keep up with evolving systems, networks and changes in staff behavior. Spot-check aspects of your business monthly, examine the security impact of new applications before you deploy them, and perform a company-wide security analysis at least once per year. Subscribe to security-related Internet resources such as security advisories, and search key websites to stay current. Treat security as a process, not a product. Develop an internal security process that reflects your changing business needs. If you have multiple locations, make sure you keep a close watch on the IT operations of each. The lack of oversight over your locations can lead to unknown risks and threats. The best scenario is a solution that allows centralized control over the administration and configuration of your distributed networks. Your Procedures: Policies, Planning, Enforcement. A comprehensive security policy is also foundational to a strong interior. Your security policy should include a checklist to ensure important security points are reviewed on a regular basis. This can be a simple spreadsheet that lists the tasks and the date they should be carried out. If you are enrolled in a conventional PCI compliance program, it is possible that you may have free access to policy templates that can be tailored to fit your business model. 9

10 Ongoing security tasks may include: Ensuring that departed employees have been completely removed from all systems. Reviewing and updating current user access rights. Checking to see that all systems are properly patched (in the Windows world this is usually as simple as running Windows Update). Inspecting the actual payment-related hardware in place to ensure it hasn t been altered or replaced with an illicit device. Making sure that passwords are changed regularly and are properly complex, using capital letters, numbers, etc. There should be a password policy within your security policy document to reinforce this important area. Many compromises are a result of merchants and integrators using default, weak or shared passwords. Security is an ongoing process of checking and ensuring that all bases are covered. Like the security policy, an incident response plan is a proactive way to shield your organization against worst-case scenarios. It s a fact that even after breaches are discovered, they often persist for days or even weeks as the organization tries to determine where to go for help and how to isolate the affected systems. Your incident response plan should include the contact information of key authorities, financial entities and service providers in the event of a breach. If you have business insurance, keep that information handy as well. Finally, it is important to regularly review and understand your system logs (or have an MSSP doing this), so that you can easily spot inconsistencies that signify possible system threats. 10

11 Your Technology: Software, Applications, Segmentation. Merchants should be using payment technologies that have been tested and approved for PCI Payment Application Data Security Standard (PA-DSS) compliance. The PCI SSC requires regular, ongoing reviews of payment applications and maintains a list of validated payment applications on its website. If you are an ecommerce merchant using your own proprietary payment application(s), consider outsourcing that functionality to a PCI-compliant service provider. Home grown payment applications are more susceptible to security holes, making them costly to maintain and requiring extensive subject matter expertise in PCI compliance and security. In addition to segmenting the card data environment away from the rest of the network, it s important to keep anti-virus protection resident and current on every machine. Follow your technology vendor s recommendations for installing and using every patch and service kit released for your systems and applications. Best Practice #5: Know Your Service Provider(s) and Their State of PCI DSS Compliance. Today, many small merchants are outsourcing all or part of their card processing steps to service providers, such as shared hosting providers, payment gateways, managed security firms, etc. (see box below). It is typical for merchants to outsource all or part of their IT infrastructure to service providers as well. When considering options for outsourcing pieces of your business and infrastructure, it s important to evaluate service providers from a PCI DSS compliance standpoint. Definition of a Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded. (Source: PCI SSC Glossary) 11

12 Don t assume that the service provider you re handing sensitive data to is PCI DSS compliant, because their inability to properly protect your customer data could implicate your business should a breach occur. Protect yourself by asking for proof of compliance, as well as requesting any other audit reports such as the SAS 70, or its successor, the SSAE 16. These reports are often held by larger companies that store and/or process financial or other critical information on behalf of others. Both Visa and MasterCard maintain lists of PCI DSS-compliant service providers. The following are tips for evaluating and maintaining solid working relationships with your outsourced service providers. Staying on top of these tasks will also ensure your ongoing compliance with the PCI DSS: Create a due diligence list for choosing new service providers. Your list could include items like the provider s disaster recovery/business continuation plans as well as experience with organizations like yours (i.e., do they understand your unique needs?). Keep a list of your current service providers and include their PCI DSS compliance status. (Check up on their status at least annually.) Have a written agreement with your service providers; make sure service providers acknowledge their responsibility for the security of the cardholder data they touch. For most small merchants, technology and data security are foreign and frustrating concepts. If you re in a place where you would rather run your business than worry about hackers and security threats, PCI DSS-compliant service providers are the way to go. Security is Top-of-Mind for Your Customers. Although the Internet has seemingly been around forever, the global marketplace is still working to negotiate the security issues that come with online payment transactions and consumers are aware of this. A 2012 study by Edelman s Data Security & Privacy Group, Privacy & Security: The New Drivers of Brand, Reputation and Action Global Insights 2012, makes it painfully clear that consumers still find it difficult to trust businesses with online payment features. Of the more than 4,000 consumers polled, 84% said information privacy and security was very important to them when purchasing products online; however, only 33% said they trust online retailers to properly protect their personal information. 12

13 Security is Everybody s Business. When implemented, the five best practices examined in this white paper will help small merchants easily and cost-effectively protect their businesses against data breaches. There are myriad benefits and opportunities associated with these practices, including significantly reducing PCI scope and garnering consumer trust. The ultimate benefit, however, is becoming a less likely target for data thieves. Just as you rely on the merchants you shop with, your customers are depending upon you to protect their sensitive information. As a small business owner, it is your responsibility to take threats to your business systems seriously so that consumer information can be protected. In addition to the moral aspects of data privacy and security, the legal regulations and financial penalties you are subject to should be considered a part of doing business. About PCI Compliance and Security Provider, ControlScan. Headquartered in Atlanta, Georgia, ControlScan is the leading provider of Payment Card Industry (PCI) Compliance and Security services designed to meet the unique needs of small to mid-sized merchants and the acquirers that serve them. The company s flexible solutions, easy-to-use online tools and personalized support significantly simplify PCI and security for its clients. In addition, as an Approved Scanning Vendor and a Qualified Security Assessor, ControlScan is positioned to help merchants meet compliance requirements and maintain secure business environments for their customers. For more information about ControlScan and its cloud-based solutions visit controlscan.com or call Copyright 2012, ControlScan, Inc. All rights reserved