As a business owner are you keeping an eye on everyday data security risks?
Running a small to medium size business means your customers probably have a never-ending to-do list, and it’s easy to let payment data security fall to the bottom of it. Businesses that keep data security practices up to date and top of mind reduce the risk of falling victim to some of the most common data breaches. At a minimum, it’s worth taking the time to set up these easy-to-adopt practices:
1. Password Management
Establish a policy for password management on all business devices and then enact these practices:
- Change a password every 3 months.
- Do not use/keep default passwords. Ask your vendor or service providers about default passwords and how to change them. Then change them.
- Use strong passwords. A strong password has seven or more characters and a combination of upper and lower case letters, numbers, and symbols (like !@#$&*). A phrase can also be a strong password (and may be easier to remember), like “B1gMac&frieS.”
- No sharing. Insist on each employee having their own login IDs and passwords.
Source: 3 Payment Data Security Essentials SMBs Shouldn’t Ignore (PCI Security Standards Council) and Small Merchant Guide to Safe Payments (PCI Security Standards Council).
2. Card Data Management
The best way to protect against data breaches is not to store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider. Ask your payment terminal vendor or merchant bank where your systems store data and if you can simplify how you process payments. Also, ask how to conduct specific transactions (for example, for recurring payments) without storing the card’s security code. Additionally, implementing encryption or tokenization technologies for data you need to store can make card data useless even if stolen. Check out EMS’s Safe-T.
Source: Small Merchant Guide to Safe Payments (PCI Security Standards Council)
3. Install Patches
Ensure you understand how your vendor or service provider notifies you of new security patches, and be sure you receive and read these notices. Make sure your vendors update your payment terminals, operating systems, etc. so they can support the latest security patches.
For e-Commerce businesses, installing patches as soon as possible is very important. Look for patches from your payment service provider. Ask your e-Commerce hosting provider whether they patch your system (and how often). Make sure they update the operating system, e-commerce platform and/or web application so it can support the latest patches.
Source: 3 Payment Data Security Essentials SMBs Shouldn’t Ignore (PCI Security Standards Council) and Small Merchant Guide to Safe Payments (PCI Security Standards Council).
4. Limit Employee Access to Data
Set up your system to grant access only based on a”business need-to-know.” Most employees can do their job with access only to a subset of data, applications, and functions. Keep a log to track all “behind the counter” visitors in your establishment. Include name, reason for visit, and name of employee that authorized the visitor’s access. Hang onto that log for at least a year. Finally, securely dispose of devices. Ask your payment system vendor or service provider how to securely remove card data before selling or disposing of payment devices so that data cannot be recovered.
Source: Small Merchant Guide to Safe Payments (PCI Security Standards Council)
5. Remote Access Management
While not a definitive list, here’s a top three considerations for remote access management:
- Lock user accounts after six failed attempts.
- Change default passwords.
- Enable vendor remote access as “only when needed,” and ensure that two-factor authentication is enabled for remote access.
Enable vendor remote access as “only when needed,” and ensure that two-factor authentication is enabled for remote access.
Source: 3 Payment Data Security Essentials SMBs Shouldn’t Ignore (PCI Security Standards Council) and MasterCard Remote Access Technology PCI Best Practices.