Our 12 Days of Tips series explores how small retailers can ACT now to repel data thieves during this prime shopping season. Awareness, Checking security controls and Testing security now will help your business lock down your systems during the holiday rush.
Merchants looking for more information on how to secure customer payment data should visit the PCI SSC merchant site.
Restricting Unauthorized Access
As a small merchant, you can’t afford to “absorb” losses like a large corporation so it’s crucial to make sure you’re limiting opportunities for thieves to get into your system, by locking down who has access to your computers and data. With temporary staff coming in and out, and an increased number of transactions happening, controlling that access becomes even more important during the busy holiday shopping season.
For example, after a card is used at the point-of-sale, a protected system will not print the entire card account number on the receipt. Usually it’s a subset of the last four digits. Same is true for what’s displayed on the point-of-sale monitor. You protect your customers’ data and your business by controlling access.
Protection is all about access control – setting up your system to grant access only on a “business need-to-know.” As the owner, you have access to everything. But most employees can do their job with access only to a subset of data and applications. Some should have no access at all.
In addition to limiting employee access, you also need to protect your business against unauthorized access by vendors and partners. Weak passwords or weak “remote access” security contributed to 94% of point-of-sale breaches in 2014. Merchants are often not aware that remote access is left persistently running – that is, the ability for outside vendors to have access to their system whenever they want. Or the possibility that this remote access could be exploited by an attacker. Remote access should only be enabled if and when it needs to be used.
Here are three simple steps for preventing unauthorized access:
1. Limit access. Grant access privileges based on what’s required to do a job – and no more. Insist with your POS reseller that remote access is only turned on when it’s necessary, and when it is turned on that the service and tools used are safe– up to date, configured correctly and security best practices are applied.
2. Use strong, unshared passwords. Assign every person a unique ID so the system can track their activity. Require use of strong, unique passwords. Do not allow sharing of user IDs or passwords!
3. Restrict physical access. Use locks to control physical access to data, systems or hardcopies. Be sure customers have no access to your systems!
If you need help, consult the person who installed your network and point-of-sale system.
Resources that can help you:
- List of trusted and PCI vetted technology partners (Qualified Integrators and Resellers) that are educated in secure installation of point-of-sale devices.
- Infographic: Stay Smart on Protecting Against Card Fraud
- Infographic: It’s Time to Change Your Password
Merchants looking for more information on payment security essentials should start here: