As an Official Champion of National Cyber Security Awareness Month (NCSAM), the Council will be sharing educational resources on payment security best practices on the PCI Perspectives blog, and through our Twitter (@PCISSC) and LinkedIn pages. The Council will align these resources with the four weekly themes outlined by the National Cyber Security Alliance:
- Week 1: Be Cyber Smart: Best practices to protect data.
- Week 2: Fight the Phish: Resources to help identify phishing attacks.
- Week 3: Cybersecurity Career Awareness Week: Information to support the next generation of cybersecurity professionals.
- Week 4: Cybersecurity First: Guidance to make cybersecurity an organizational priority.
Week 1: Be Cyber Smart: Best practices to protect data.
To kick off this weekly series, the Council will focus on best practices to secure payment data. PCI SSC recently developed a set of payment protection resources for small businesses. The “Back-to-Basics” series highlights eight payment security basics for protecting against payment data theft.
In addition to the series, this resource guide provides a round-up of all eight tips: 8 Tips to Help Small Merchants Protect Payment Card Data During COVID-19
8 Tips to Help Small Merchants Protect Payment Card Data
TIP #1: Reduce where payment card data can be found. The best way to protect against data breaches is not store card data at all. Many small merchants are offering curbside pickup now and are accepting telephone payments in lieu of former face-to-face transactions. Avoid writing payment card details down and instead enter them directly into your secure terminal.
TIP #2: Use strong passwords. The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. To be effective, passwords must be strong and updated regularly. Weak and vendor default passwords are a frequent source of small merchant breaches.
Read more: Back-to-Basics: Use strong passwords
TIP #3: Keep software patched and up to date. Criminals look for outdated software to exploit flaws in unpatched systems. Timely installation of security patches is crucial to minimize the risk of being breached. One way to keep up with all the necessary changes is by ensuring vulnerability scans are performed regularly to identify security issues. PCI Approved Scanning Vendors (ASVs) can help you identify vulnerabilities and misconfigurations in your Internet-facing payment systems, e-commerce website, and other systems, providing a report of your vulnerabilities and how to address them—for example, what patches to apply. Be sure to act upon the results of ASV vulnerability scans and keep your software up to date.
TIP #4: Use strong encryption. Encryption makes payment card data unreadable to people without a specific key, and can be used to protect stored data and data transmitted over a network. Ask your vendor whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI SSC’s List of PCI P2PE Validated Solutions. If you are setting up a new website, confirm the shopping cart provider is using proper encryption, such as TLS v1.2, to protect your customers’ data.
Read more: Back-to-Basics: Use strong encryption
TIP #5: Use secure remote access. To minimize the risk of being breached, it’s important that you take part in managing how and when your vendors can access your systems. Criminals can gain access to your systems that store, process, or transmit payment data through weak remote access controls. You should limit use of remote access and disable it when not needed. If you must allow remote access, ask your vendors to use multi-factor authentication and strong remote access credentials that are unique to your business and not the same as those used for other customers.
Read more: Back-to-Basics: Use secure remote access
TIP #6: Properly configure firewalls. A firewall is a device or software that sits between your network and the Internet. It acts as a barrier to keep traffic out of your network and systems that you don’t want and didn’t authorize. Firewall rules can seem complex, but configuring them properly is vital to security. If you require additional assistance to properly configure your firewall, seek help from a network professional.
Read more: Back-to-Basics: Properly Configure Firewalls
TIP #7: Think before you click. Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as payment card number, merchant account number or password. Small merchants should be extra vigilant and be on the look-out for common phishing and social engineering hacks.
Read more: Back-to-Basics: Think before you click
TIP #8: Choose trusted partners. It’s critical you know who your service providers are and what security questions to ask them. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants (and those of you that recently started accepting e-commerce payments in lieu of face-to-face payments), it is important that your payment service providers are PCI DSS compliant, including the service provider that manages your payment process (your “payment service provider” or PSP).
Read more: Back-to-Basics: Choose trusted partners