As small and medium businesses begin to re-open following the pandemic, it’s important to do so securely in order to protect customer’s payment card data. Too often, data breaches happen as a result of vulnerabilities that are entirely preventable. The PCI Security Standards Council (PCI SSC) has developed a set of payment protection resources for small businesses. In this 8-part back-to-basics series, we highlight payment security basics for protecting against payment data theft. Today’s blog focuses on securing remote access.
Insecure remote access is one of the leading causes of data breaches for businesses. Point-of-sale (POS) vendors will often support or troubleshoot merchant payment systems from their office and not from the business location. They do this using the Internet and what’s called “remote access” software products. Many of these products are always on or always available – meaning the vendor can access your systems remotely all the time.
Many of these vendors use commonly known passwords for remote access, making it all too easy for hackers to access your systems too. They scan the Internet for businesses with vulnerable remote access systems and, once inside, use malware to steal valuable payment card data. To minimize the risk of being breached, it’s important that you take a part in managing how and when your vendors can access your systems. Only allow remote access when necessary!
Here are some tips to keep in mind:
Limit use of remote access: Ask your vendors how to enable remote access for when they specifically request it, and how to disable it when not needed.
Require use of multi-factor authentication: If you must allow remote access, ask your vendors to use multi-factor authentication to support your business. Multi-factor authentication protects remote access into your business by requiring a username and password plus another factor (like a smart card or dongle). A dongle is a handy device that connects to a computer to allow access to wireless, software features, etc.
Require unique credentials: If you must allow remote access, make sure your vendors use remote access credentials that are unique to your business and that are not the same ones used for other customers.